yii2-usuario
yii2-usuario copied to clipboard
2amigos
Restrict user assignments to roles only?
What steps will reproduce the problem?
- Update a user
- Click "Assignments"
- Click Items field to display list
- A list of both roles and permissions is displayed.
What is the expected result?
A list of roles only should be displayed which may be assigned to a user in accordance with RBAC best practices.
What do you get instead?
A list of roles and permissions. Permissions should be suppressed. It can be easy to confuse roles and permissions and the list of permissions can be large, which can be cumbersome.
If necessary to preserve backward compatibility, perhaps a config parameter could be added (e.g. allowUserPermissionAssignment) which defaults to false but could be set to true.
Generally I think it would be better to keep the current status. The option to restrict available choices could be an idea, or graphically differentiate permissions from roles
What about the idea of a config option? I could work on a PR (though I don't know how to do tests).
@maxxer I do think it requires an update to graphically differentiate permissions from roles. I think thats best.
I'm ready to submit a PR that will group roles and permissions separately. It also includes a allowUserPermissionAssignment config option that defaults to true but can be set to false to suppress permissions. This can be especially helpful if there are many permissions but only a few roles.
I will proceed if there are no objections.