Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Agency admins can't create new admin groups #339

Closed
GUI opened this issue May 22, 2016 · 1 comment
Closed

Agency admins can't create new admin groups #339

GUI opened this issue May 22, 2016 · 1 comment
Assignees

Comments

@GUI
Copy link
Member

GUI commented May 22, 2016

When an agency administrator logs into the admin, if they navigate to the Admin Groups and try to create a new admin group, they won't be able to, because they can't select any scopes. The scopes list is currently empty (partially due to this related issue: #135)

Superuser admins can create new groups, but we want agency admins to also be able to create new groups within their scopes. This will allow agency admins to create other permission groups as they see fit (for example, if they want to add other admin accounts but only allow those admins access to analytics and not API backend management).

@GUI GUI self-assigned this May 22, 2016
GUI added a commit to NREL/api-umbrella that referenced this issue May 22, 2016
- Allows limited admins to create sub-scopes underneath their current
  scopes (18F/api.data.gov#135).
- Allows limited admins to create new groups utilizing the scopes they
  have access to (18F/api.data.gov#339).
- Fixes potential security issues where a limited admin with knowledge
  of internal record UUIDs could overwrite records they didn't
  originally have access to with data they do have access to. Since this
  hinges upon knowing the random UUIDs of the records the admin doesn't
  have access view, this hopefully shouldn't be likely.
- Refactor most of the admin permission tests to ensure better
  consistency and coverage. There's now a shared baseline of permission
  checks we can easily apply across all admin resource types to ensure
  basic permission checks. The same permission checks are also now
  tested across all CRUD actions (rather than requiring different tests
  be written for each CRUD action).
GUI added a commit to NREL/api-umbrella that referenced this issue May 22, 2016
- Allows limited admins to create sub-scopes underneath their current
  scopes (18F/api.data.gov#135).
- Allows limited admins to create new groups utilizing the scopes they
  have access to (18F/api.data.gov#339).
- Fixes potential security issues where a limited admin with knowledge
  of internal record UUIDs could overwrite records they didn't
  originally have access to with data they do have access to. Since this
  hinges upon knowing the random UUIDs of the records the admin doesn't
  have access view, this hopefully shouldn't be likely.
- Refactor most of the admin permission tests to ensure better
  consistency and coverage. There's now a shared baseline of permission
  checks we can easily apply across all admin resource types to ensure
  basic permission checks. The same permission checks are also now
  tested across all CRUD actions (rather than requiring different tests
  be written for each CRUD action).
GUI added a commit to NREL/api-umbrella that referenced this issue May 22, 2016
- Allows limited admins to create sub-scopes underneath their current
  scopes (18F/api.data.gov#135).
- Allows limited admins to create new groups utilizing the scopes they
  have access to (18F/api.data.gov#339).
- Fixes potential security issues where a limited admin with knowledge
  of internal record UUIDs could overwrite records they didn't
  originally have access to (by overwriting the original record with
  data they do have access to). Since this hinges upon the limited admin
  knowing the random UUIDs of other records they don't have access to
  view, the likelihood of this actually being exploitable should be low.
- Refactor most of the admin permission tests to ensure better
  consistency and coverage. There's now a shared baseline of permission
  checks we can more easily apply across all admin resource types to
  ensure basic permission checks. We also now perform the same
  permission check tests across all CRUD actions (rather than requiring
  different tests to be written for each CRUD action, which was easy to
  miss and difficult to maintain).
@GUI
Copy link
Member Author

GUI commented May 23, 2016

Fixed by NREL/api-umbrella#238

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant