Role assignment UI #2739
Role assignment UI #2739
Conversation
- Add system id list to client - Add methods to add and remove users as system managers. - When creating tokens, persist a list of system ids to the token.
…points that have limited system manager permissions. - Multiple variations required depending on whether it is the fides key or a request body as dependencies. - Separate out "system update" and "system delete" from the crud routes to give an additional system manager oauth check. - Update these endpoints to have new "system update" and "system delete" scopes. - Bump downrev of migration. - Rename _has_correct_scopes to has_scope_subset since I will share this method between files - Move some common logic in verify_oauth_util into a new method: extract_token_and_load_client that can be shared with multiple authentication methods. - Update client on login with scopes/roles/systems if client already exists, just in case - Consolidate system fixtures into one and add required fields
…gular scope doesn't grant the user permissions to 20+ endpoints. - This allows us to do things like give system managers permission to just a few endpoints, not all ctl-related resources. - Rename scopes that would conflict with existing ops scopes - Add new read scopes to the viewer role - Remove updating client on login (added last commit).
…efault an empty list to match scopes and roles. - Add new system-manager-related annotations to db dataset yaml. - Add tests with correct scopes and incorrect scopes to crud endpoints.
…s and client.scopes columns if the user has cli-objects:-* scopes. Assert "resource deleted" in crud and system delete responses.
- Fix test for TestGetSystemFromRequestBody which was not getting run.
…stem manager is deleted. - Clients may still have systems on them, but the user or system doesn't exist so this doesn't seem problematic. - Refresh client on login so it has the most up-to-date values, especially if they've been adjusted directly in the db.
…aces all the systems the user manages with those in the request body.
- PUT /user/{user_id}/system-manager
- GET /user/{user_id}/system-manager
- GET /user/{user_id}/system-manager/{system_key}
- DELETE /user/{user_id}/system-manager/{system_key}
Adds new system manager scopes. Adds the read scopes to the viewer role.
… to maintain the status quo.
…m_manager_endpoints
…v is set to prod so we can populate all the starter resources.
…m_manager_endpoints
|
There are these role descriptions hanging out on the right with Owner text duplicated in each of them -
|
|
Looks like we're still using the old mapping in the user summary page. The new role name is "Approver" but in this summary it's being called "Privacy Request Manager", same for "Viewer and Privacy Request Manager." Product requirements changed during this project and they renamed the roles.
|
|
I'm assuming this is pre-existing behavior, but the backend only allows the first name and last name of a user to be edited here after it's created, not the username. Should we disable the username from being edited here? It gives the appearance you can edit but you can't. This could be reticketed.
|
|
@pattisdr I went ahead and updated the username form field to be disabled after the user is created |
|
Bravo! You're addressing changes faster than I'm finding them. |
|
I do think this should be reticketed: Saving changes on ctl datasets when you don't have permissions shows a green popup that you "Success: Successfully modified collection" although the API request returned a 403 and no data changed.
|
|
This is looking really good @allisonking and @eastandwestwind. I've reticketed separate backend work here https://github.com/ethyca/fidesplus/issues/683 for next sprint |
This is to avoid too much prop drilling, especially while delete can be called in two different flows
|
Great work, @eastandwestwind ! I went in and QA'd and fixed up a few things:
|
|
Just added a slight functionality change for better experience. Before, when deleting a user on their profile page, we stayed on that page, which is misleading because you can no longer edit the user if it doesn't exist. I'm updating such that we reroute to user management table upon user delete |
|
Side note: I've noticed some flakiness with the We'll soon be able to remove this line of code anyway, as it's a known bug, documented here- #2788 For now, though, re-running the test suite seems to work. |
eastandwestwind
force-pushed
the
aking/fidesplus-641/role-assignment-ui
branch
from
1ff5847
to
6b0c94d
Compare
|
Reverting to Allison's last commit, since she already covered the reroute to user management page upon user delete! |
Closes https://github.com/ethyca/fidesplus/issues/641
This branches off of multiple branches, so the diff will be unseemly until those branches are mergedBranches are merged, though commit history has many of the commits from #2682 because of the squashed merge + I'm not good enough at rebasing 🙃
Code Changes
Steps to Confirm
Pre-Merge Checklist
CHANGELOG.mdDescription Of Changes
Write some things here about the changes and any potential caveats