keycloak-ui icon indicating copy to clipboard operation
keycloak-ui copied to clipboard

Published 20 hours ago verified publisher icon keycloak

Allow user and admin attribute permissions to be independantly set

Open micbis opened this issue 2 years ago • 6 comments

Motivation

When using the experimental feature declarative user profile it was not possible to allow only the admin to view/edit an attribute. When admin was selected, user was always included.

Brief Description

Changed update handling of attribute permission checkboxes.

Verification Steps

  1. Enable declarative user profile feature
  2. Set "User Profile Enabled" to "on"
  3. Go "User Profile" and edit any attribute
  4. Select "admin" (user should no longer be selected automatically)

Checklist:

  • [X] Code has been tested locally by PR requester
  • [NA] User-visible strings are using the react-i18next framework (useTranslation)
  • [NA] Help has been implemented
  • [NA] axe report has been run and resulting a11y issues have been resolved
  • [NA] Unit tests have been created/updated

micbis avatar Oct 04 '22 10:10 micbis

@jonkoops Is there anything I can help with?

micbis avatar Oct 10 '22 21:10 micbis

This functionality is made this way to make it clear when you select admin the user is always included. Just not setting the checkbox doesn't change that behaviour.

image

Right @xianli123 ?

edewit avatar Oct 11 '22 04:10 edewit

@edewit Yes, if the "Admin" is marked, the "User" should be selected and read-only.

xianli123 avatar Oct 11 '22 06:10 xianli123

The reason why we have suggested this, is to have the possibilty of attributes which are only viewable / editable by the admin - and NOT the user.

So if by design the user always should be selected, is there another way to achieve the desired behaviour?

As far as we have tested our patch, the application correctly handles this (i.e. field is only visible/editable to user when the permissions are set correctly (we have tested the account management api, i.e. https://...url.../realms/master/account)

micbis avatar Oct 11 '22 08:10 micbis

@xianli123 @edewit I believe that @micbis is correct here.

@xianli123 did you have some notes or something that say enabling Admin should always enable User?

ssilvert avatar Oct 12 '22 20:10 ssilvert

Hi @ssilvert I have checked the design doc and the original issue, there is no evidence to proven the "Admin" can effect the "User". I think @micbis is correct.

A linkage relationship here is that if the User or Admin has the ability to Edit, the User or admin will have the right to View by default.

xianli123 avatar Oct 14 '22 02:10 xianli123

I tested this out and it looks good.

ssilvert avatar Oct 19 '22 18:10 ssilvert

@micbis Can you rebase your branch please?

ssilvert avatar Oct 21 '22 12:10 ssilvert

@ssilvert Sure, done.

micbis avatar Oct 21 '22 14:10 micbis

The test failures in the suite are expected, I'm going ahead and merge this in.

jonkoops avatar Oct 21 '22 15:10 jonkoops