EZP-29559: Delete sleeping requirement for non-empty roles #2525
Conversation
|
Without reading the code, I have a question: why would we enforce roles to have N >= 1 policies? As long as there is any API that allows checking for a role assignment (instead of directly a policy assignment), I can see some (admittedly limited) value in being able to create empty roles... |
|
@gggeek Hi! I don't know the original intention for it, and I can also see that empty roles might be useful to someone, as an easy way of "marking" a user, e.g. to be tested in custom code: "If user has role 'snafu', do X". But IMO this would be abusing the system. By design, the purpose of a role is to contain policies, and be assignable. It's easy enough to add a custom policy, to fullfill the need above ("if user has policy 'snafu', do X"). And this has the benefit of being easier to audit for someone not familiar with the custom code. |
glye
changed the title
glye
force-pushed
the
ezp29559_uncomment_sleeping_role_code
branch
4 times, most recently
from
c331f08 to
4b53511
Compare
glye
force-pushed
the
ezp29559_uncomment_sleeping_role_code
branch
from
4b53511 to
c00b69e
Compare
|
@alongosz @andrerom With this fix, empty roles cannot be published. This breaks a number of tests (most fixed in PR now). It also breaks the REST API, in that How do you feel about this? We could make Or we could drop the PR and remove the commented code instead, accepting empty roles. |
|
@glye this is all a bit philosophical, as, apart from broken tests, there is no clear advantage presented so far for either allowing or disallowing empty roles - my claim is thus unsubstantiated as has to be taken as is... |
|
@gggeek I wouldn't have done this if the code wasn't already there. It was clearly the original intention that this constraint should be in place. But since then, a lot of tests have been written without keeping this in mind, making this PR bigger than I expected. I'll leave it up to gods of API to decide what is kosher/halal here. As for the use case for empty roles I mentioned, policies are clearly (IMO) better. Role names are (supposed to be / will eventually be) translatable, and they have no identifier, only an ID. Policy module/function strings are untranslatable, and more suitable for identifying permissions. So the constraint arguably inspires better code. I have no opinion beyond that, and there may be cases I haven't thought of. |
There was a problem hiding this comment.
This is not going to break just REST API. AdminUI flow uses the same concept:
- Create role (not draft).
- Display UI to add policies.
So this would apply to 3.0 (BC break, so needs to be done in major if we agree to do it)
IMHO empty role adds some flexibility, but your point @glye is also valid.
I think this is up to @SylvainGuittard or @bdunogier - should we disallow Roles without Policies in 3.0 and if so - how should we redesign AdminUI.
glye
changed the title
|
After API team discussion I have axed the sleeping code instead. The big changes that are required are not worth it. Note that the docblock included the exception we never got around to throw, so I deleted that too :) |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
6.x/7.xThe role draft should have at least one policy. Uncomment the sleeping code for this, and fix breaking tests.API team decided this is not worth it - so much code has been written not taking this into account, will require big rewrites without a big benefit, so better to axe it.