Task #2863
open
Don't allow users to delete (cancel) the role requests which they didn't create
0%
Description
By default, the users may delete (cancel) an open role request, which they didn't create.
Example:
- manager adds some role to the user
- there is some error on the system
- both the user and the manager may delete the request
It would be more safe if the user couldn't delete the request, if they didn't create it themselves.
Files
Updated by Alena Peterová almost 3 years ago
- Subject changed from Don't allow users to delete the role requests in which they are involved to Don't allow users to delete (cancel) the role requests in which they are involved
- Description updated (diff)
The requests can not be deleted completely, just cancelled. However, the idea is still the same: if I'm not the author of the request, I shouldn't be able to cancel it.
Updated by Alena Peterová almost 3 years ago
- Description updated (diff)
I deleted the technical proposal how to change the userRole permissions, because evidently SelfRoleRequestEvaluator and RoleRequestByWfInvolvedIdentityEvaluator work in a different way than I thought. I don't know how to keep the Delete permission only for the creator of the role request now, maybe some other evaluator is needed.
Updated by Alena Peterová almost 3 years ago
- Subject changed from Don't allow users to delete (cancel) the role requests in which they are involved to Don't allow users to delete (cancel) the role requests which they didn't create
- Description updated (diff)
Updated by Radek Tomiška almost 3 years ago
- Assignee changed from Radek Tomiška to Vít Švanda
Updated by Vít Švanda almost 3 years ago
If I understand correctly, you need a new evaluator (something as 'SelfCreatorRoleRequestEvaluator') to get the permissions based on the creator field (not by the applicant field as used in SelfRoleRequestEvaluator), right?