You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have some special "policy" logic right now for the problem of who can give another user an object role.
The current logic appears a little too permissive in the case of immutable models. Instead of normal CRUD, these may only have ('add', 'view') permissions or ('add', 'delete', 'view') permissions.
Right now, when 'change' permission is not present, we have a stop-gap rule that you can assign other users object roles if you have all the possible permissions to that object. But if the only possible permission is view... this isn't very good.
This proposal is to change the rule to:
When "change" permission is not present, "change" permission to the parent object will be required to give other users roles to that object. If no parent object exists, then only superusers can give users role to said object.
The text was updated successfully, but these errors were encountered:
We have some special "policy" logic right now for the problem of who can give another user an object role.
The current logic appears a little too permissive in the case of immutable models. Instead of normal CRUD, these may only have ('add', 'view') permissions or ('add', 'delete', 'view') permissions.
Right now, when 'change' permission is not present, we have a stop-gap rule that you can assign other users object roles if you have all the possible permissions to that object. But if the only possible permission is view... this isn't very good.
This proposal is to change the rule to:
The text was updated successfully, but these errors were encountered: