Create Right: Manage Users
Description
Attachments
QAlity Plus - Test Management
Checklists
Activity

Lucyna Laska
When USERS_MANAGE permission is not assigned to user, he can retrieve only his own record e.g:
he can delete himself
he can get his own details
he can get the programs at his home facility or programs that he supervises
what he can't do is:
update user details (e.g assign roles, change email address - even for himself)
search users
view the list of all users
use /passwordReset endpoint
When role is assigned to user, full control over all users is possible.
Test case: https://openlmis.atlassian.net/wiki/x/1q6eBg

Jakub Kondrat
@Lucyna Laska The user should only be able to retrieve his own record without the right

Lucyna Laska
@Jakub Kondrat I think, I should be able to modify my own data using PUT /api/users endpoint, but now, the USERS_MENAGE permission is required. What do you think?

Brandon Bowersox-Johnson
@Jakub Kondrat @Sebastian Brudziński We just discussed the questions raised in #qa slack channel today.
Q: Why is attempting to log in throwing an error? (http://test.openlmis.org/api/users/a337ec45-31a0-4f2b-9b2e-a105c4b669bb [HTTP/1.1 403 284ms])
A: It was checking this new right. So we decided in Slack to temporarily revert the commit.
Q: Should the USERS_MANAGE right be required for the 8 endpoints listed?
A: Any logged in user should be able to retrieve their own user record without that right. But if they try to retrieve a different user's record that right would be required. So for the 6 endpoints on that list that are retrieving a single user, such as /api/users/[userid]/*, we need to add a check in the logic to allow them to retrieve them own record. For the other 2 endpoints that retrieve lists of users, those require the USERS_MANAGE right.
Of course, remember that when the endpoints are accessed by a client with a service-level token, that has "root" access to view any user ID.
Q: Does the UI need to change how it hits these endpoints?
A: From discussion with Chongsun and Nick, we do not think any UI or Javascript changes are needed. The 403 error you saw on login is just when the UI is trying to retrieve the user's own record.
Q: What about Admin UIs?
A: Later we will build admin UIs to manage user accounts. When that happens, the people who try to do that will need the USERS_MANAGE right. So there's nothing to do now for this. And in the future it should be easy to make this work correctly.
Jakub, I hope this answers all your questions and allows you to proceed and commit the work without breaking anything. Let us know if there are any questions.
Details
Assignee

Reporter

Labels
Story Points
Original estimate
Time tracking
Components
Sprint
Fix versions
Priority
Time Assistant

There should be an Administrative type Right that a User may be assigned via a Role that allows them to Manage (View, Create, Edit) Users.
Acceptance:
there is a new Administrative type of right named USERS_MANAGE in Reference Data
the endpoint's that GET, PUT, POST & DELETE should require the right USERS_MANAGE or a Service token, otherwise a 403 should be returned for:
/api/users
/api/users/{userId}
/api/users/{userId}/roleAssignments
/api/users/{userId}/hasRight
/api/users/{userId}/programs
/api/users/{userId}/supervisedFacilities
/api/users/{userId}/fulfillmentFacilities
/api/users/search
RAML is updated
Check to ensure clients of updated endpoints don't break - raise an issue to the larger group if it does.