Closed
Bug 1237161
Opened 8 years ago
Closed 8 years ago
Allow users with bless permissions to update users group membership using WebService
Categories
(Bugzilla :: WebService, enhancement)
Tracking
()
RESOLVED
FIXED
Bugzilla 6.0
People
(Reporter: mtyson, Assigned: mtyson)
Details
Attachments
(1 file, 2 obsolete files)
2.07 KB,
patch
|
LpSolit
:
review+
|
Details | Diff | Splinter Review |
If a user has bless permissions for a group, but not editusers itself, they can't add or remove users from that group using the Users.update or /rest/user/id RPC methods. I think the simplest way of doing this is to allow anyone that can bless permission to set groups only, and restricting the rest of the operations to anyone in the editusers group. Attached is a patch to modify the RPC endpoints to do this. Opinions?
Attachment #8704470 -
Flags: review?
Comment 1•8 years ago
|
||
Comment on attachment 8704470 [details] [diff] [review] bless.patch >+ # If there are any groups, allow someone with bless permission to set them. >+ if (my $groups = delete $values->{groups}) { >+ foreach my $user (@$user_objects) { >+ $user->set_all({groups => $groups}); >+ } >+ } >+ >+ # Require editusers for all other operations. >+ if ($user->in_group('editusers')) { >+ foreach my $user (@$user_objects) { >+ $user->set_all($values); >+ } > } You don't need to duplicate the foreach loop. You only need this first line right before the existing foreach loop: $values = { groups => $values->{groups} } unless $user->in_group('editusers'); foreach my $user (@$user_objects) { $user->set_all($values); } Also, you need to update the documentation to specify that users with bless privileges can also call this method.
Attachment #8704470 -
Flags: review? → review-
Updated•8 years ago
|
Target Milestone: --- → Bugzilla 6.0
Assignee | ||
Comment 2•8 years ago
|
||
Ah, that's simpler. Here's a new patch with documentation added.
Attachment #8704470 -
Attachment is obsolete: true
Attachment #8704878 -
Flags: review?(LpSolit)
Comment 3•8 years ago
|
||
Ah, I meant to document this change in docs/en/rst/api/core/v1/user.rst.
Assignee | ||
Comment 4•8 years ago
|
||
Ah, my bad. I've updated the rst documentation instead.
Attachment #8704878 -
Attachment is obsolete: true
Attachment #8704878 -
Flags: review?(LpSolit)
Attachment #8704914 -
Flags: review?(LpSolit)
Comment 5•8 years ago
|
||
Comment on attachment 8704914 [details] [diff] [review] 1237161.patch >+++ b/docs/en/rst/api/core/v1/user.rst >+If you are not in *editusers* you may add or remove users from groups if you have >+bless permissions for the groups you wish to modify. The POD in Bugzilla/WebService/User.pm should be updated to also contain this comment. Also, this comment should also mention that all other changes will be ignored. Otherwise, your patch looks good and works fine. Thanks! r=LpSolit
Attachment #8704914 -
Flags: review?(LpSolit) → review+
Comment 6•8 years ago
|
||
Requesting approval as this is an API change.
Status: NEW → ASSIGNED
Flags: relnote?
Flags: approval?
Summary: Unable to update users group membership via RPC using bless permissions. → Allow users with bless permissions to update users group membership using WebService
Updated•8 years ago
|
Flags: approval? → approval+
Comment 7•8 years ago
|
||
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 8c54443..c81a842 master -> master
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•