Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

admins can change external users's names #5965

Merged
merged 5 commits into from
Nov 26, 2024
Merged

admins can change external users's names #5965

merged 5 commits into from
Nov 26, 2024

Conversation

alihadimazeh
Copy link
Contributor

No description provided.

farhatahmad
farhatahmad reviewed Nov 18, 2024
View reviewed changes
db/schema.rb Outdated
@@ -10,7 +10,7 @@
#
# It's strongly recommended that you check this file into your version control system.

ActiveRecord::Schema[7.1].define(version: 2023_12_18_154727) do
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file shouldnt't be included in the changes

app/controllers/api/v1/users_controller.rb Outdated
Comment on lines 172 to 174
@update_user_params ||= if external_auth? && current_user.role.name.eql?('Administrator')
params.require(:user).permit(:name)
elsif external_auth?
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Greenlight is a bit more tricky than this. The "Administrator" role can be renamed, or the permission to edit users can be given to other roles, meaning that just this check isn't enough. What you need to do instead is check if the user has the ManageUsers permission

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here's how you would do that:

PermissionsChecker.new(current_user:, permission_names: 'ManageUsers', current_provider:).call

@farhatahmad
Copy link
Collaborator

Also - did you test to make sure this works? There's a visual portion to this that is needed

Rspec tests are needed as well

@alihadimazeh
Revert "admins can change external users's names"
4be5646 
This reverts commit bf02581.
@alihadimazeh
admins can change an external user's name
19084c4
@alihadimazeh
- UpdateUserForm checks if user is an external and if the current user
509ee97 
signed in doesn't have Manage Users permissions
- `external_account` method & attribute moved from current user serializer to user
  serializer
farhatahmad
farhatahmad reviewed Nov 25, 2024
View reviewed changes
app/controllers/api/v1/users_controller.rb Outdated
Comment on lines 174 to 179
@update_user_params ||= if external_auth? && is_admin
params.require(:user).permit(:name)
elsif external_auth?
params.require(:user).permit(:password, :avatar, :language, :role_id, :invite_token)
else
params.require(:user).permit(:name, :password, :avatar, :language, :role_id, :invite_token)
Copy link
Collaborator

@farhatahmad farhatahmad Nov 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@update_user_params ||= params.require(:user).permit(permitted_params)

def permitted_params
is_admin = PermissionsChecker.new(current_user:, permission_names: 'ManageUsers', current_provider:).call

return [:password, :avatar, :language, :role_id, :invite_token] if external_auth? && !is_admin
[:name, :password, :avatar, :language, :role_id, :invite_token]
end

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@farhatahmad farhatahmad merged commit 391fd46 into bigbluebutton:master Nov 26, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@farhatahmad farhatahmad farhatahmad approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alihadimazeh @farhatahmad