-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[full-ci] Implement permission concept for handling user abilities #8431
Conversation
57a0f52
to
009ebcf
Compare
aa18463
to
6f88e92
Compare
Results for e2e-tests oCIS https://drone.owncloud.com/owncloud/web/32941/12/1 💥 To see the trace, please open the link in the console ...
npx playwright show-trace https://cache.owncloud.com/public/owncloud/web/32941/tracing/spaces-can-be-managed-in-the-admin-settings-alice-2023-2-17-11-37-10.zipnpx playwright show-trace https://cache.owncloud.com/public/owncloud/web/32941/tracing/spaces-can-be-managed-in-the-admin-settings-brian-2023-2-17-11-37-14.zip |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a changelog item. The removal of the permission manager is a breaking change for extension developers.
packages/web-app-admin-settings/src/mixins/general/resetLogo.ts
Outdated
Show resolved
Hide resolved
d318322
to
f37a533
Compare
@kulmann This is in a finished state from my side (for now at least). The permissions coming from the server still have weird names, that's going to change in the future. Also, there still seem to be bugs with the default permissions of the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🥳 🚀
Kudos, SonarCloud Quality Gate passed! |
Description
Until now, Web handles permission checks only based on role names. This PR adds support for permissions that come from the server. The lib
CASL
has been introduced for defining and enforcing those permissions.The permission concept is a bit complicated because it has 2 "layers": Permissions that are only related to the user and permissions that additionally relate to a resource (like share permissions, space roles). We only care about the former here! That distinction is very important to fully understand how the permissions are structured.
They can be found in packages/web-runtime/src/services/auth/abilities.ts and consist of an
action
and asubject
. Actions have one of two suffixes:-all
(system-wide permission) or-own
(restricted to the current user). E.g.:{ action: 'create-all', subject: 'Account' }
defines the permission to read all accounts of this system{ action: 'read-all', subject: 'Space' }
defines the permission to read all spaces on this system{ action: 'create-own', subject: 'Space' }
defines the permission to create a personal space on this systemAll available actions and subjects are defined in packages/web-pkg/src/utils/types.ts.
The
PermissionManager
has been removed as we don't need it anymore.Note: Requires the latest server docker image!
Related Issue
Types of changes