Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement access control #14

Open
1 of 5 tasks
Tracked by #32
evert opened this issue Sep 20, 2022 · 0 comments
Open
1 of 5 tasks
Tracked by #32

Implement access control #14

evert opened this issue Sep 20, 2022 · 0 comments
Assignees
Milestone

Comments

@evert
Copy link
Collaborator

evert commented Sep 20, 2022

High-level requirements for access control

  • Users should only be able to see projects they were given explicit access to.
  • The type of access you have in a project is either 'member' or 'owner'. If you are a member, you can enter time in the project (but not see anyone else's). If you are an owner, you can see everything, and invite new people into the project.

All of this should be handled by a12n-server groups and privileges ideally. This might down the road create some challenges, but I would like a12n-server to be very capable as a store for access control lists.

  • When a user creates a client, automatically assign a owner privilege associating the client and the user.
  • Add an endpoint in the API that lets a user add a different user (by principal uri) to a project and assign a specific privilege (logger, admin, owner). (New Endpoint: Add a Person to Project #47)
  • Restrict the client list to only return clients that the user has access to. This change needs to apply to both the 'list', but also anything else that fetches information about clients. Typically we do this work in controllers, but I worry that's not wise here given that we'll need to duplicate this logic in a lot of places.
  • Do the same for projects
  • Restrict operations further based on which specific role a user has on a client/project. For example, only owners can invite other users. Only admins and owners can see other people's entries. Everyone can submit to a project they have access to.
@evert evert added this to the MVP 1 milestone Sep 20, 2022
@BeckyPollard BeckyPollard modified the milestones: MVP 1 , MVP 0.5 Sep 30, 2022
@BeckyPollard BeckyPollard moved this to Todo in Time Tracker Sep 30, 2022
@syedfkabir syedfkabir self-assigned this Oct 23, 2022
@syedfkabir syedfkabir moved this from Todo to In Progress in Time Tracker Oct 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: In Progress
Development

No branches or pull requests

3 participants