-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Agency admins can't create new admin groups #339
Labels
Comments
GUI
added a commit
to NREL/api-umbrella
that referenced
this issue
May 22, 2016
- Allows limited admins to create sub-scopes underneath their current scopes (18F/api.data.gov#135). - Allows limited admins to create new groups utilizing the scopes they have access to (18F/api.data.gov#339). - Fixes potential security issues where a limited admin with knowledge of internal record UUIDs could overwrite records they didn't originally have access to with data they do have access to. Since this hinges upon knowing the random UUIDs of the records the admin doesn't have access view, this hopefully shouldn't be likely. - Refactor most of the admin permission tests to ensure better consistency and coverage. There's now a shared baseline of permission checks we can easily apply across all admin resource types to ensure basic permission checks. The same permission checks are also now tested across all CRUD actions (rather than requiring different tests be written for each CRUD action).
GUI
added a commit
to NREL/api-umbrella
that referenced
this issue
May 22, 2016
- Allows limited admins to create sub-scopes underneath their current scopes (18F/api.data.gov#135). - Allows limited admins to create new groups utilizing the scopes they have access to (18F/api.data.gov#339). - Fixes potential security issues where a limited admin with knowledge of internal record UUIDs could overwrite records they didn't originally have access to with data they do have access to. Since this hinges upon knowing the random UUIDs of the records the admin doesn't have access view, this hopefully shouldn't be likely. - Refactor most of the admin permission tests to ensure better consistency and coverage. There's now a shared baseline of permission checks we can easily apply across all admin resource types to ensure basic permission checks. The same permission checks are also now tested across all CRUD actions (rather than requiring different tests be written for each CRUD action).
GUI
added a commit
to NREL/api-umbrella
that referenced
this issue
May 22, 2016
- Allows limited admins to create sub-scopes underneath their current scopes (18F/api.data.gov#135). - Allows limited admins to create new groups utilizing the scopes they have access to (18F/api.data.gov#339). - Fixes potential security issues where a limited admin with knowledge of internal record UUIDs could overwrite records they didn't originally have access to (by overwriting the original record with data they do have access to). Since this hinges upon the limited admin knowing the random UUIDs of other records they don't have access to view, the likelihood of this actually being exploitable should be low. - Refactor most of the admin permission tests to ensure better consistency and coverage. There's now a shared baseline of permission checks we can more easily apply across all admin resource types to ensure basic permission checks. We also now perform the same permission check tests across all CRUD actions (rather than requiring different tests to be written for each CRUD action, which was easy to miss and difficult to maintain).
Fixed by NREL/api-umbrella#238 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When an agency administrator logs into the admin, if they navigate to the Admin Groups and try to create a new admin group, they won't be able to, because they can't select any scopes. The scopes list is currently empty (partially due to this related issue: #135)
Superuser admins can create new groups, but we want agency admins to also be able to create new groups within their scopes. This will allow agency admins to create other permission groups as they see fit (for example, if they want to add other admin accounts but only allow those admins access to analytics and not API backend management).
The text was updated successfully, but these errors were encountered: