Skip to content

Allow LDAP group synced Owner access to Roles and Permissions page

mo khan requested to merge mokhax/434172/read-roles-permissions-page into master

What does this MR do and why?

This MR fixes the following defects:

  1. LDAP Owners that should be able to view the Group > Roles and Permissions page cannot.
    • This policy and this policy prevent LDAP synchronized Owners from receiving the admin_group_member permission. LDAP Owners cannot view Roles and Permissions page
  2. Owners that have the admin_member_role permission are not able to fetch the list of member roles via the GraphQL API.
    • After the Roles and Permissions page is loaded the frontend code issues a GraphQL query to fetch the list of member roles. Access to the list of member roles is authorized using the read_member_role permission. Currently, an empty list of results is returned to any user that has the admin_member_role ability (.i.e. Owners). Bug: read_member_role not provided to admin_member_role users

To fix the first issue the authorization for the groups/roles_and_permissions#index action was changed to use the same permission checked in the RolesFinder that is used to fetch the list of roles.

To fix the second issue the GroupPolicy was updated to give the read_member_role permission to any user that has the admin_member_role permission.

After both fixes are applied:

With both fixes

#434172 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

LDAP Configuration LDAP Sync

Before After
Before After

How to set up and validate locally

  1. Enable openldap
  2. Configure LDAP sync
  3. Lock memberships to LDAP sync
  4. Login with one of the LDAP Owner accounts
  5. Visit the Roles and Permissions page for the LDAP synced group.
Edited by mo khan

Merge request reports

Loading