You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have discussed this at MO end, although perhaps good to discuss this at the VC.
For info, the consensus here is to raise an exception if an empty list appears in the config. The thinking is that an empty list could potentially be ambiguous, it could either mean
do not add or remove any permissions, group permissions apply. i.e. there is no contribution to existing permissions.
remove permissions (the same as !ALL), in which case what would happen on user1 being a member of groupa in this case....
"user1" : []
"group:groupa" : ["READ"]
I think safest with things security related is to have the user explicitly say what they want.
Currently we raise an exception at the time of access, the uiserver continues running and but with failed authorization (no access to the user). So essentially current implementation does remove permissions.
However, I think if we want to seek explicit clarification from the user, this exception would be better implemented at validation (see issue) and perhaps we should shut down the ui-server on this error?
Ref: #204 (comment)
The text was updated successfully, but these errors were encountered: