Flattened permission tree includes child permissions for non-Umbrella scopes

Created on 30 December 2022, almost 2 years ago
Updated 26 December 2023, 12 months ago

Problem/Motivation

Scopes can be nested as an umbrella, so a scope can provide multiple roles and/or permissions. A child scope can be linked to a parent through its configuration form. However, when the 'Umbrella' checkbox is unselected from the parent, the child scopes are still included in the flattened permission tree.

Steps to reproduce

Created a Dynamic scope umbrella:
- Umbrella: Login, role: Authenticated user
-- Child: View own profile, permission 'view own profile'
-- Child: Administer users, permission 'administer users'

Disable the 'Umbrella' option on 'Login' and notice the permission tree still includes 'View own profile' and 'Administer users'

Proposed resolution

Do not load child permissions for non-Umbrella scopes

Remaining tasks

  1. Write a patch
  2. Review
  3. Commit

User interface changes

None.

API changes

None.

Data model changes

None.

🐛 Bug report
Status

Closed: works as designed

Version

6.0

Component

Code

Created by

🇳🇱Netherlands idebr

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇳🇱Netherlands kingdutch

    I realise this has been open for a while but as someone who was part of creating the original design, I want to clarify Bojan's above message a little bit.

    By default all scopes must map to a permission. However in a hierarchy you might want to have a scope which provides multiple other scopes without itself being tied to providing a new permission. The only difference between an umbrella scope and non-umbrella scope is that the umbrella scope does not require the assignment of a role or permission. It can be nested anywhere in the tree.

    - Non-umbrella scope: user (provides "administer users" permission)
    -- Non-umbrella scope: user:list (provides permission: "list user")
    -- Umbrella scope: user:profile (provides no permissions on its own)
    --- Non-umbrella scope user:profile:email (provides permission: "view any email profile field")
    --- Non-umbrella scope user:profile:address (provides permission: "view any address profile field")
    --- Non-umbrella scope user:profile:phone (provides permission: "view any phone profile field")

    I believe this issue should be "Closed (works as designed)"

  • Status changed to Closed: works as designed 12 months ago
Production build 0.71.5 2024