Description
When the user role is changed from ADMIN to USER he is anyway able to edit contexts he created from the frontend. By design, the MS backend doesn't provide any restrictions on changing contexts based on the user role. Contexts are resources like all the other ones and the same policies are applied for authenticated users.
In the previous MS UI, it was possible to edit and manage context only from a dedicated admin section. Now that in the new UI contexts can be managed in home directly as other resources, the default configuration should be coherent:
- or we allow all users to create contexts (the better option more in line with the model)
- or we deny users with USER role from editing context created by them from the UI
It is already possible to apply one of them by app configuration but it will anyway remains only a possible client side setup for the reason explained above according to the model behind.
How to reproduce
- Create a context as user X with ADMIN right
- Change the role of that user to normal USER
Expected Result
One of the option above. Better the first one.
Current Result
The user cannot create new contexts but he is still able to edit contexts he created as admin
Browser info
(use this site: https://www.whatsmybrowser.org/ for non expert users)
| Browser Affected |
Version |
| Internet Explorer |
|
| Edge |
|
| Chrome |
|
| Firefox |
|
| Safari |
|
Other useful information
Description
When the user role is changed from ADMIN to USER he is anyway able to edit contexts he created from the frontend. By design, the MS backend doesn't provide any restrictions on changing contexts based on the user role. Contexts are resources like all the other ones and the same policies are applied for authenticated users.
In the previous MS UI, it was possible to edit and manage context only from a dedicated admin section. Now that in the new UI contexts can be managed in home directly as other resources, the default configuration should be coherent:
It is already possible to apply one of them by app configuration but it will anyway remains only a possible client side setup for the reason explained above according to the model behind.
How to reproduce
Expected Result
One of the option above. Better the first one.
Current Result
The user cannot create new contexts but he is still able to edit contexts he created as admin
Browser info
(use this site: https://www.whatsmybrowser.org/ for non expert users)Other useful information