Closed Bug 1237161 Opened 8 years ago Closed 8 years ago

Allow users with bless permissions to update users group membership using WebService

Categories

(Bugzilla :: WebService, enhancement)

Product:
Bugzilla
Component:
WebService
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 6.0

People

(Reporter: mtyson, Assigned: mtyson)

Details

Attachments

(1 file, 2 obsolete files)

1237161.patch
2.07 KB, patch
LpSolit
: review+
Details | Diff | Splinter Review
Attached patch bless.patch (obsolete) — Splinter Review 
If a user has bless permissions for a group, but not editusers itself, they can't add or remove users from that group using the Users.update or /rest/user/id RPC methods.

I think the simplest way of doing this is to allow anyone that can bless permission to set groups only, and restricting the rest of the operations to anyone in the editusers group.

Attached is a patch to modify the RPC endpoints to do this.  Opinions?
Attachment #8704470 - Flags: review?
Comment on attachment 8704470 [details] [diff] [review]
bless.patch

>+    # If there are any groups, allow someone with bless permission to set them.
>+    if (my $groups = delete $values->{groups}) {
>+        foreach my $user (@$user_objects) {
>+            $user->set_all({groups => $groups});
>+        }
>+    }
>+
>+    # Require editusers for all other operations.
>+    if ($user->in_group('editusers')) {
>+        foreach my $user (@$user_objects) {
>+            $user->set_all($values);
>+        }
>     }

You don't need to duplicate the foreach loop. You only need this first line right before the existing foreach loop:

    $values = { groups => $values->{groups} } unless $user->in_group('editusers');
    foreach my $user (@$user_objects) {
        $user->set_all($values);
    }

Also, you need to update the documentation to specify that users with bless privileges can also call this method.
Attachment #8704470 - Flags: review? → review-
Target Milestone: --- → Bugzilla 6.0
Attached patch 1237161.patch (obsolete) — Splinter Review 
Ah, that's simpler.

Here's a new patch with documentation added.
Attachment #8704470 - Attachment is obsolete: true
Attachment #8704878 - Flags: review?(LpSolit)
Ah, I meant to document this change in docs/en/rst/api/core/v1/user.rst.
Attached patch 1237161.patchSplinter Review 
Ah, my bad.

I've updated the rst documentation instead.
Attachment #8704878 - Attachment is obsolete: true
Attachment #8704878 - Flags: review?(LpSolit)
Attachment #8704914 - Flags: review?(LpSolit)
Comment on attachment 8704914 [details] [diff] [review]
1237161.patch

>+++ b/docs/en/rst/api/core/v1/user.rst

>+If you are not in *editusers* you may add or remove users from groups if you have
>+bless permissions for the groups you wish to modify.

The POD in Bugzilla/WebService/User.pm should be updated to also contain this comment. Also, this comment should also mention that all other changes will be ignored.

Otherwise, your patch looks good and works fine. Thanks! r=LpSolit
Attachment #8704914 - Flags: review?(LpSolit) → review+
Requesting approval as this is an API change.
Status: NEW → ASSIGNED
Flags: relnote?
Flags: approval?
Summary: Unable to update users group membership via RPC using bless permissions. → Allow users with bless permissions to update users group membership using WebService
Flags: approval? → approval+
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   8c54443..c81a842  master -> master
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: