nsedit icon indicating copy to clipboard operation
nsedit copied to clipboard

Published 20 hours ago verified publisher icon tuxis-ie

Group support & permissions

Open richard-underwood opened this issue 8 years ago • 17 comments

Hi, this is a pretty big set of changes, so it would be worth getting some early feedback. It's designed to fix the following:

Issue 68 - group support Issue 17 - forbid users from editing administrative records

Unfortunately, there's no point in having groups without some sort of permissions system, so that's included as well.

As the DB schema also needed updating for this, I've put a framework in place for schema versioning.

richard-underwood avatar Jan 09 '17 10:01 richard-underwood

Holy moly! I'll try to review this soon and await the rest of the patches. But good work!

tuxis-ie avatar Jan 09 '17 10:01 tuxis-ie

Thanks, one thing I should mention is that the interface is using j-query autocomplete rather than drop-downs for the user and group selection boxes as the number of users could be large. I hope this is OK.

richard-underwood avatar Jan 09 '17 10:01 richard-underwood

Yeah, I'd think that's ok.

tuxis-ie avatar Jan 09 '17 11:01 tuxis-ie

Hi are there any news to commit this into master? We can use that group feature also. thanks

righter83 avatar Mar 30 '17 11:03 righter83

Ping? Any plans to get this PR reviewed and merged?

pasikarkkainen avatar Nov 07 '17 11:11 pasikarkkainen

@richard-underwood Was it ready?

tuxis-ie avatar Nov 07 '17 11:11 tuxis-ie

Apologies - other tasks got in the way and it stalled. It's not finished, and will need re-merging now. I'll try and get it up to date later this week and see what the state of play is.

richard-underwood avatar Nov 07 '17 11:11 richard-underwood

Not a problem. Thanks.

tuxis-ie avatar Nov 07 '17 11:11 tuxis-ie

I've merged the upstream changes, which looked OK, but not fully tested everything yet.

This is a large change, I'll try and list the changes below:

  • Added "groups" tab similar to the users & admin for group membership
  • Set up a permissions scheme (including restricted editing)
  • Changed DB schema to allow permissions set per zone
  • Implememnted database versioning
  • Moved the records cascade out to its own button
  • Jquery autocomplete.js & menu.js enabled - user lookups are asynchronous as potentially this could be a large list (e.g. with LDAP integration)

Essentially, each domain still has an owner who is always admin, but other users or groups can be assigned to view, update or admin a zone. There's a config option to restrict editing (e.g. to stop SOA and NS records being updated).

I'm certain there's more to do, but it'll take me a while to remember exactly what. In particular, I have a feeling there are issues editing zones which have bene created, but not in the database. Hopefully I'll have a chance to work on this over the next week.

If anyone who is interested in this pull request could have a look ON A TEST SYSTEM and see if it works for you, if there's anything fundamentally missing, if there are any security issues, etc. then it'd be appreciated. Bear in mind that the database schema will be changed, so take a backup of this if it's important to you.

richard-underwood avatar Nov 07 '17 14:11 richard-underwood

@righter83 @pasikarkkainen ? Are you able to test this ON A TEST SYSTEM ? I'm currently not able to test this extensively.

tuxis-ie avatar Nov 20 '17 09:11 tuxis-ie

Hi, thanks for investing more time into this feature!

I've pulled it into my test system and almost everything works. I've tested the main stuff and not everthing. The only bug I found: Zone Clone: if you clone a zone and set a specific owner user: owner is admin afterwards instead of the specifiic user.

just my 2c on this feature. We needed a superadmin, and medium admins for our reseller structure. That means a medium-admin is also granted to create new zones -> Everyone in his group will be granted to edit that zone. But the medium admin sees only the zones which are granted to them. the superadmin sees then all zones.

My programming is not that fine, therefore I haven't mad a pull request. But if others are interested in this model i could try to invest more time into it as soon as this pull will be merged into the master.

thanks

righter83 avatar Nov 20 '17 10:11 righter83

righter83 - thanks for looking at it. I didn't think I'd made any changes to zone cloning, so I suspect that that had always happened (but will check). However, the permissions will not be copied on zone clone, which I'm guessing they should be - so will need to add that.

Thanks.

richard-underwood avatar Nov 20 '17 10:11 richard-underwood

I've raised issue #160 for the owner change on cloning - it looks like the "kind" field is also ignored.

richard-underwood avatar Nov 20 '17 14:11 richard-underwood

I'm happy for this to be merged, if everyone else is - although I think it could still do with some more review or testing. In particular, @tuxis-ie, are you happy with the database update scripts?

richard-underwood avatar Nov 21 '17 10:11 richard-underwood

+1 for merging this feature soon :-)

metrax avatar Dec 23 '17 11:12 metrax

@tuxis-ie any news about this? If you need some more testing, I'd be available too (have a test system up and running)

gunnyst avatar Mar 09 '18 14:03 gunnyst

+1 for merging that will lift nsedit to a new level

ruben-herold avatar May 21 '18 13:05 ruben-herold