-
Notifications
You must be signed in to change notification settings - Fork 0
Adding_Permission_Grant_list_to_UserGroup_Profile_UI
Currently there’s no way of seeing a user’s permission grants all in one place. You have to go to each object’s permissions tab to find a given user’s grants. The user profile page should include a tab and/or block on the page which shows the full set of grants, both global and object-level, for a given user.
When we’ve implemented User Groups, add the same tab/block on the group profile page to show group-level permission grants.
Owner (s) of the feature - Scott Seago
- Targeted release:
- Last update:
See ‘Detailed description’ and ‘High-level implementation details’ for
more information, but the screens/UI flow will be as follows:
* As an Administrator, go to the ‘user profile’ page for a user
* There will be a permission grants block on the page that looks
similar to the object ‘permissions’ UI (but in reverse)
* Click ‘Add Permission Grant’ which takes the user to the ‘new
permission’ UI
* Choose an object type (such as ‘pool’) and get a list of pools. For
each pool a list of valid roles shows up — any role the user is
currently in on that pool will be unavailable to add
* select a Role on one of the Pools and click ‘submit’
* The new permission grant will now show up in the grant list
* The grant list can be filtered on Object Type, or left at ‘all’ to
show everything.
* We can demonstrate that this user now has permission on the resource
* Going back to the permission list, we can now remove the permission
by selecting the checkbox next to it and clicking ‘remove’
* No the user will no longer have access.
- All of the above steps can be repeated for a UserGroup, starting on the details page for a UserGroup
Implementation tasks aren’t defined in Redmine yet, but the tasks will
be:
* Refactor permission new/view/list to take a User or UserGroup ID as
an alternative to a permissioned_object ID: the “what to show” logic
(users/groups vs. objects) will be determined by what ID is passed in.
* Add ‘permission grants’ block to User profile page
* Add ‘permission grants’ block to UserGroup details page
The “permission grants” tab will be much like the object-specific grants, but in reverse. Instead of looking at a single resource (a pool, an instance, etc) and a list of users that have been granted roles on it, we’ll start with a single user and see a list of resources the user has been granted roles on. This will use the standard filter table component we use elsewhere, and the pre-defined search filters will allow the user to look at grants for one object type at a time (i.e. “show me Deployment grants this user has been given” vs. “show me this user’s global grants”)
Consistent with other filter table UI components, the grants will have checkboxes next to them, allowing the (privileged) user the ability to remove a bunch of grants at once, and there will be a ‘grant permissions’ action that will take the user to a form with a list of resources to grant permissions on (again like the current object-specific “grant permissions” action but in reverse — list of objects to grant the specific user a role on vs. a list of users to grant roles on for this object).
On the User Group profile, the ‘permission grants’ tab will be much the same, except we’ll show/grant/remove permissions on the group rather than on an individual.
Add a ‘permission grants’ section to the User Profile (and User Group) pages. The View pane will be similar to the current “Permissions” pane/tab, but instead of listing users/groups with roles, we’ll list resources (“Redmine Deployment”, “Redmine/front-end Instance”, “Default Pool”, “Global Permission”, etc) and roles. The pre-defined filters at the top of the filter table will allow “all” resources, and filtering by type (“All”, “Global Permissions”, “Pools”, “Images”, etc.). This will show up on the user’s own ‘my profile’ page, as well as on the user details page for Administrators. Add/remove functionality will be allowed (for “User” administrators on the User pages, and for Group-level admins on the UserGroup pages). This will be similar to the current UI elements — with a ‘Remove Permissions’ action button on top (acting on selected checkboxes), and a ‘Grant Permissions’ button which takes the user to a new ‘Grant Permissions’ panel.
Like the view page, the ‘Grant Permissions’ panel will be similar to the current Grant page, but again in reverse. We already know the user (or group) — the form will be to select the resource. One difference is that we won’t provide an “all” option in the filter queries selection, since there’s no point in putting all system objects of all types into one list. In addition, the list view will be filtered to only show those resources for which the user has permission to grant access to (although for a site Admin this would still be everything).
Follow up plans after implementing the feature.
Maybe other new features or some improvement of the feature.
Links to other future feature pages.
Links and other references related to the feature.
Mails, IRC logs, documentation for libraries used, links to other parts
of project documentation, etc.