Project

General

Profile

Actions

Task #2863

open

Don't allow users to delete (cancel) the role requests which they didn't create

Added by Alena Peterová over 3 years ago. Updated over 3 years ago.

Status:
New
Priority:
Low
Assignee:
Vít Švanda
Category:
Authentication / Authorization
Target version:
-
Start date:
06/25/2021
Due date:
% Done:

0%

Estimated time:
Owner:

Description

Tested on version 11.
By default, the users may delete (cancel) an open role request, which they didn't create.
Example:
  • manager adds some role to the user
  • there is some error on the system
  • both the user and the manager may delete the request

It would be more safe if the user couldn't delete the request, if they didn't create it themselves.


Files

request_delete.png (55 KB) request_delete.png Alena Peterová, 06/25/2021 03:18 PM
Actions #2

Updated by Alena Peterová over 3 years ago

  • Subject changed from Don't allow users to delete the role requests in which they are involved to Don't allow users to delete (cancel) the role requests in which they are involved
  • Description updated (diff)

The requests can not be deleted completely, just cancelled. However, the idea is still the same: if I'm not the author of the request, I shouldn't be able to cancel it.

Actions #3

Updated by Alena Peterová over 3 years ago

  • Description updated (diff)

I deleted the technical proposal how to change the userRole permissions, because evidently SelfRoleRequestEvaluator and RoleRequestByWfInvolvedIdentityEvaluator work in a different way than I thought. I don't know how to keep the Delete permission only for the creator of the role request now, maybe some other evaluator is needed.

Actions #4

Updated by Alena Peterová over 3 years ago

  • Subject changed from Don't allow users to delete (cancel) the role requests in which they are involved to Don't allow users to delete (cancel) the role requests which they didn't create
  • Description updated (diff)
Actions #5

Updated by Radek Tomiška over 3 years ago

  • Assignee changed from Radek Tomiška to Vít Švanda
Actions #6

Updated by Vít Švanda over 3 years ago

If I understand correctly, you need a new evaluator (something as 'SelfCreatorRoleRequestEvaluator') to get the permissions based on the creator field (not by the applicant field as used in SelfRoleRequestEvaluator), right?

Actions

Also available in: Atom PDF