Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[admin-settings] Spaces: Admin cannot disable space which he is not member of #5960

Closed
hurradieweltgehtunter opened this issue Mar 10, 2023 · 11 comments

Comments

@hurradieweltgehtunter
Copy link

Steps to reproduce

  1. Login as admin, go to admin settings -> Spaces
  2. Right click on space, where you are not a member

Expected behaviour

Actions to disable/enable a space are disabled

Actual behaviour

I cannot disable / enable a space

From my current understanding, this should be possible, because it's not a space content revealing action. (Content revealing actions like name, description,... are reserved to space managers)

grafik

@JammingBen
Copy link
Contributor

That's because the Admin role does not have the permission to do so - only Space Admin's have. If that's not the way we want (@tbsbdr ?), we need to transfer the issue to the backend because Web relies on the permissions coming from oCIS.

From my current understanding, this should be possible, because it's not a space content revealing action.

In general: content revealing actions are only possible for Space Admin's if they are member of the space (e.g. editing space image and description). Non-content revealing actions are possible for any Space Admin (edit name/subtitle/quota, disable/enable, delete).

@hurradieweltgehtunter
Copy link
Author

@micbar told me that an admin (not space admin) should be able to disable/enable a space even when he's not member of it, which sounds reasonable to me from a UI perspective. That's why I opened this issue. Did I got that wrong? If so, I'm sorry.

@hurradieweltgehtunter
Copy link
Author

@micbar just confirmed that it's a bug

@micbar
Copy link
Contributor

micbar commented Mar 10, 2023

let us check. I was not aware that the Admin misses that permission.

@micbar
Copy link
Contributor

micbar commented Mar 10, 2023

@hurradieweltgehtunter Is that a default ocis instance?

@hurradieweltgehtunter
Copy link
Author

@hurradieweltgehtunter Is that a default ocis instance?

https://ocis.ocis-wopi.latest.owncloud.works

@JammingBen
Copy link
Contributor

JammingBen commented Mar 10, 2023

let us check. I was not aware that the Admin misses that permission.

Drive.ReadWriteEnabled.all is missing for regular Admins, which is the permission Web checks for here (see #5414 (comment)). Note that this permission also grants the other non-content-relealing actions in Web: edit name and description(subtitle).

There is also a permission called delete-all-spaces.all, which the Admin has, but not the Space Admin. Though it doesn't seem to do anything? In general, while things work (most of the time 😄 ), I still get heavily confused by the naming and meaning of the oCIS permissions.

@micbar
Copy link
Contributor

micbar commented Mar 10, 2023

seems they are redundant. Let me do a code check in the backend.

@JammingBen
Copy link
Contributor

@micbar What's the status here, should we move the issue to the oCIS repo?

@amrita-shrestha
Copy link
Contributor

amrita-shrestha commented May 30, 2023

@JammingBen I think we can close this issue because this issue has been resolved and we have passing API tests for this issue

Scenario Outline: an admin and space manager can disable other space via the Graph API
Given the administrator has given "Carol" the role "<role>" using the settings api
When user "Carol" disables a space "Project Moon" owned by user "Alice"
Then the HTTP status code should be "204"
And the user "Carol" should not have a space called "Project Moon"
Examples:
| role |
| Admin |
| Space Admin |
Scenario Outline: an admin and space manager can delete other disabled Space
Given the administrator has given "Carol" the role "<role>" using the settings api
And user "Alice" has disabled a space "Project Moon"
When user "Carol" deletes a space "Project Moon" owned by user "Alice"
Then the HTTP status code should be "204"
And the user "Alice" should not have a space called "Project Moon"
And the user "Carol" should not have a space called "Project Moon"
Examples:
| role |
| Admin |
| Space Admin |
Scenario Outline: user with role user and guest cannot delete others disabled space via the Graph API
Given the administrator has given "Carol" the role "<role>" using the settings api
And user "Alice" has disabled a space "Project Moon"
When user "Carol" tries to delete a space "Project Moon" owned by user "Alice"
Then the HTTP status code should be "404"
Examples:
| role |
| User |
| Guest |

Similar issue #5872

@SagarGi
Copy link
Member

SagarGi commented Jun 7, 2023

@JammingBen @ScharfViktor This issue is fixed so may be this can be closed. Test has been added for it and seems to be working fine more tests covered up by this PR as well related to admin managing the spaces created by others (where he is not the member of the space) owncloud/web#9132

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants