-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permissions handling #2841
Comments
@gondzo I absolutely agree that we have to centralize it. Also, several times came across this, when we redefine the same variables for roles in sevaral places: The suggested approach looks good to me, if can describe all the relateion between user |
@gondzo yeah agree we could centralize it and let's use this centalize code for the Account manager role task only for now, as changing all the existing places for permissions check is risky. But going forward for newer checks we will be using this centralize method, even we could specify explicitly about using this in our future challenges specs. |
@maxceem can we include this as a part of CF ? we can define different sections of connect in different git issues or git checklist so that there are no bugs and well tested, as its a impacting change |
@RishiRajSahu Also, I've noticed that here, we use |
@maxceem good point, I think the list of possible permissions should not be high only the places where they need to be put are lot, so I would like to rephrase my previous comment here, we are trying to completely remove using variables, it might be intentional as might requires defining new rules. I think we ourselves should define the set of different possible permissions scenarios and leave all possible places to participants to apply those permissions. |
@maxceem @RishiRajSahu I would like to do this step by step. I mean, we should pick only one area of the application at time to replace the permission logic with the centralized system so that we can be sure of what are the potential area of failure after the release. So, could we identify different impact areas (e.g. team management is one area) first and add them as sub tasks of this issue? |
@vikasrohit yes, totally agree on this. By the way, recently I got some idea. We have the same permission are being defined in several applications. And we always have to keep them in sync. For example. Customer users cannot see private posts. So we have to handle this logic in three applications:
I don't suggest any particular solution at the moment. But probably in theory, we can define permissions somewhere in one place and use them across applications. |
Good idea @maxceem. However, I think we are not yet ready for moving this permission to a separate common place. Another reason is that we might get some changes in the way we authorize users after some upcoming changes e.g. organizations feature in Connect. @RishiRajSahu @maxceem upto you guys, how you want to handle this for now. I think we can replace permissions check per bundle of features step by step for now. |
@vikasrohit yeah we can do it for connect only at first, in steps, with particular page/section of Connect chosen at a time to exploit permission model. Anyway once we have replaced all places with permissions model we can move it (in future when we are clear with all kind of authorisations required with respect to organisations feature) easily to central place/repo, also by then the changes we are doing for replacing will also be baked enough and foolproof. @maxceem shall we start by creating a separate milestone/tag and under that create issues for each page/section of Connect ? and then how about running a CF for that ? |
@RishiRajSahu agree. I've created a project on Git for this: https://github.com/appirio-tech/connect-app/projects/13 I think we can start moving a section at a time as you suggested, so we could properly test small pieces rather than moving altogether. Will create the spec for some section.
If we don't refactor all together, I think there is no need in a separate CF. We can include them in regular CF all handle via F2F. |
@RishiRajSahu so are we going to include some of the sections/items in the next CF ? |
@RishiRajSahu I'll try to include some portion. |
@RishiRajSahu I propose to slightly update checkPermission method before start migrating the rest of our code to this method.
|
@RishiRajSahu what to do you think about the suggestion above? |
@maxceem approach of making the method generic is good idea. Below is my input on that - what is the |
|
which property to read would be determined based on which role we are checking. For checking If some config option from permission would require us checking us something for phases, it would use |
fyi @RishiRajSahu |
@maxceem Our permission model contains both the roles(topcoder/project) with each section/page on our Connect App, for example phases/project-plan section has both accessibility constraints with project roles. Also as per your example - |
You are right @RishiRajSahu we don't have any premission which need So at the moment, I guess we will only have The reason why I propose to use So to sum up:
Example possible situation:
|
@maxceem yep I agree with just two arguments and having generic |
Got your question @RishiRajSahu In general, the code inside
|
Got it via 1. , thanks ! @maxceem |
Make it same like on Project Service ref issue #2841
@RishiRajSahu This is done via PR #4169 QA Guidelines
|
@RishiRajSahu @maxceem @gondzo :
|
For Customer users - Dashboard needs all Phases expanded according to the requirement. |
|
@maxceem @acshields @RishiRajSahu pls confirm that Connect Manager is expected to see Direct and Salesforce links for all Projects. |
@lakshmiathreya as per me, they should see it. But it's better if @acshields or @RishiRajSahu confirm this. |
@acshields - would like you to review this https://docs.google.com/spreadsheets/d/1KTlFFsBaGtEJw6wtpELqpYyqORjWmahE_mK34m8WxWM/edit#gid=0 before I mark this Pass! |
@lakshmiathreya looks good to me and connect manager is expected to see those links. Another update from sheet |
Closing this as verified on prod. cc @lakshmiathreya |
With the new user roles we have a lot of places to update regarding permission checks so the code for permission checks will be more and more complex inside containers/components, ex
How about centralizing permission checks to a common module (or configuration file)?
For example we could have a single method for permission checks like
util.checkPermission(PERMISSIONS.EDIT_PROJECT_PLAN, user, entity)
with entity parameter being the one we're checking the permission for (ex project, plan, phase, timeline, thread, etc)What do you think @vikasrohit @maxceem @RishiRajSahu ?
The text was updated successfully, but these errors were encountered: