adhocracy3 icon indicating copy to clipboard operation
adhocracy3 copied to clipboard
verified publisher icon liqd

Local-Role inheritance is broken

Open 2e2a opened this issue 9 years ago • 2 comments

The new local role handling introduces in #2672 does not add a acl if it is already set for a parent node.

This does not work with the current way of permission checking:

  • For each node all principals are checked
  • If a Deny is found for a role (which is the case in private processes), parents are not checked

2e2a avatar Sep 21 '16 13:09 2e2a

An example is to set a local role for the organisation, then the children with private process do not honour the local role of the parent. Actually we set the local role for each process and not for the organisation, so this issue is not urgent

joka avatar Sep 29 '16 08:09 joka

Possible solution discussed with @joka:

  • When setting local ACLs do not ignore ACLs of parents
  • When setting an ACL update all children with local ACLs
  • Index resources with local ACLs, i.e. resources with workflows and local-roles

2e2a avatar Sep 29 '16 09:09 2e2a