Allow LDAP group synced Owner access to Roles and Permissions page
What does this MR do and why?
This MR fixes the following defects:
- LDAP Owners that should be able to view the
Group > Roles and Permissions
page cannot.-
This policy and this policy prevent LDAP synchronized Owners from receiving the
admin_group_member
permission.
-
This policy and this policy prevent LDAP synchronized Owners from receiving the
- Owners that have the
admin_member_role
permission are not able to fetch the list of member roles via the GraphQL API.- After the
Roles and Permissions
page is loaded the frontend code issues a GraphQL query to fetch the list of member roles. Access to the list of member roles is authorized using theread_member_role
permission. Currently, an empty list of results is returned to any user that has theadmin_member_role
ability (.i.e. Owners).
- After the
To fix the first issue the authorization for the groups/roles_and_permissions#index
action was changed to use the same permission checked in the RolesFinder that is used to fetch the list of roles.
To fix the second issue the GroupPolicy
was updated to give the read_member_role
permission to any user that has the admin_member_role
permission.
After both fixes are applied:
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Before | After |
---|---|
Before | After |
How to set up and validate locally
- Enable openldap
- Configure LDAP sync
- Lock memberships to LDAP sync
- Login with one of the LDAP Owner accounts
- Visit the Roles and Permissions page for the LDAP synced group.
Edited by mo khan