Univention Bugzilla – Bug 45044
support restrictions for user imports
Last modified: 2017-12-21 12:22:59 CET
Add support to the UCS@school import framework to restrict a user import job to only change (c/u/d) users that are: * member of a school that is in a configured list of schools * of a certain type {staff, student, teacher} (to modify teacherStaff both staff and teacher must be allowed) The school and user-type lists should be configurable in a json configuration file (see ucs-school-4.2/ucs-school-import/usr/share/doc/ucs-school-import/user_import_configuration_readme.txt).
* document the options in user_import_configuration_readme.txt * create a ucs-test that fails and succeeds at importing all combinations of permissions (school X type)
As discussed, this doesn't seem to be necessary.
It is necessary, because the searches for users, when determining which ones to add or delete, do currently not take the configured user role into account. But that is necessary as is is currently possible to do: 1. import students ["A"] of school "S" 2. import teachers ["B"] of school "S" -> deletes student ["A"] of school "S" So a user that has only permissions to edit teachers can delete students (and vice versa).
Code: 6dd25d22a1b1fad7fa7fd9560595f24bfdeaf9a2 Advisory: 1662c6eee15ebc71d96ce6c459f9055a2ea97696 Package: ucs-school-import Version: 15.0.0-37A~4.2.0.201709071259 LDAP filter were adjusted to take config[user_role] into account. If the user_role was not set globally, the filter (objectClass=ucsschoolType) allows imports where the user type is in the input data (for example from ucs-school-testuser-import).
Restrict the list of schools in the API to those the logged in user has permissions to start imports on.
The API service now only lists those schools a logged in user has the permission to start an import for at least one user role. Code: 813447ea30ca9f038ce29dd2456c7302424ca081 Advisory: 0adea3f266342bb042acc894a74fbe789b9233c2 Package: ucs-school-import Version: 15.0.0-39A~4.2.0.201709111200
ucs-school-import 15.0.0-42: remove debug debris
887b0bd4: fix ldap filter for import permissions ucs-school-import 15.0.0-50A~4.2.0.201710111122 ucs-school-import now depends on ucs-school-lib version 10.0.2-8 because of Bug #45504
Changes look good. OK: YAML
UCS@school 4.2 v6 has been released. http://docs.software-univention.de/changelog-ucsschool-4.2v6-de.html If this error occurs again, please clone this bug.