dataall
dataall copied to clipboard
data-dot-all
environment and dataset teams missing GET_ORGANIZATION permission
There was recently a fix for 2.3 related to how GET_ORGANIZATION permission works: https://github.com/data-dot-all/dataall/pull/1139
The summary of the issue is that if you are a member of an environment team or dataset team then you will not have GET_ORGANIZATION permission and that will cause multiple issues in data.all UI:
- You will not be able to list environments in the environment UI and get an error saying that you do not have a GET_ORGANIZATION permission
- You will see organizations in the Organizations list but if you try to view an organization you will not be able to view it (there won't even be a UI error and graphql response will contain an error. This should also be fixed).
The PR above partially fixes this issue by adding a new organization resolver which does not require a GET_ORGANIZATION permission. This means that anyone can view some basic information about any organization.
I argue that this fix is ultimately not the best one and the way it should work is this:
If you are a member of an environment team or any dataset team on that environment then you should be granted GET_ORGANIZATION permission on that organization implicitly even if your team is not directly invited into an organization. Logically this makes sense:
- You can only create environments with a specific environment team if that environment is invited to the organization (if that is not the case today then this should be fixed)
- We do not invite dataset teams into organizations because the only reason to invite teams into organizations is to let them create environments.
To summarize:
- Require that creating an environment in an organization with a team requires that that team is invited into the organization. This will ensure that this team will always have the GET_ORGANIZATION permission.
- Any dataset team when it is invited to an environment should also be at the same time given the GET_ORGANIZATION permission on the organization. It should be removed if the dataset team is removed from the environment.
Additionally we should add tests to check that dataset teams can view organizations or that they are granted GET_ORGANIZATION permission upon invitation. Also to make sure we test this for environment teams when they are invited to organizations.
Thanks for the detailed issue. It's added to the list of possible candidates for 2.5
@SofiaSazonova I see you're working on this. Can you confirm what's the plan for resolution?
@dlpzx was this addressed:
Any dataset team when it is invited to an environment should also be at the same time given the GET_ORGANIZATION permission on the organization. It should be removed if the dataset team is removed from the environment.
And was the code cleaned up to remove the fix added to bypass the get_organization permission error?
@zsaltys
What changed:
-
When Group is invited into Organization, admin can give (or not) permissions to invite/delete other groups and link environments. If none selected, then the group will have only GET_ORGANIZATION permissions.
-
If group is not invited into Organization, it can't be used to link an invironment. Example:
- User1 is in GroupA and GroupB. Group A is and admin in Org1, GroupB is not invited.
- User1 tries to link an environment to Org1. From dropdown they can select their groups GroupB and GroupA.
- Previously both these groups were valid, now, if they select GroupB, they will receive a message, that this group -should - be first invited into Org1.
- After GroupB is invited, User1 can use it as an environment admin group.
-
If group is not invited into Organization, it can't be invited into environment.
-
added a migrations to invite env groups as readers to its org. So, after the update, all groups that are in the environments of the Organization will become members of the Organization with minimal permissions.
