Bug 45044 - support restrictions for user imports
support restrictions for user imports
Product: UCS@school
Classification: Unclassified
Component: Import scripts
UCS@school 4.2
Other Linux
: P5 normal (vote)
: UCS@school 4.2 (HTTP-API-MVP)
Assigned To: Daniel Tröder
Florian Best
Depends on: 45503 45504
Blocks: 45024
  Show dependency treegraph
Reported: 2017-07-19 11:55 CEST by Daniel Tröder
Modified: 2017-12-21 12:22 CET (History)
1 user (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Tröder univentionstaff 2017-07-19 11:55:47 CEST
Add support to the UCS@school import framework to restrict a user import job to only change (c/u/d) users that are:
* member of a school that is in a configured list of schools
* of a certain type {staff, student, teacher} (to modify teacherStaff both staff and teacher must be allowed)

The school and user-type lists should be configurable in a json configuration file (see ucs-school-4.2/ucs-school-import/usr/share/doc/ucs-school-import/user_import_configuration_readme.txt).
Comment 1 Daniel Tröder univentionstaff 2017-07-19 11:59:47 CEST
* document the options in user_import_configuration_readme.txt
* create a ucs-test that fails and succeeds at importing all combinations of permissions (school X type)
Comment 2 Florian Best univentionstaff 2017-08-09 14:08:51 CEST
As discussed, this doesn't seem to be necessary.
Comment 3 Daniel Tröder univentionstaff 2017-09-07 12:47:37 CEST
It is necessary, because the searches for users, when determining which ones to add or delete, do currently not take the configured user role into account. But that is necessary as is is currently possible to do:
1. import students ["A"] of school "S"
2. import teachers ["B"] of school "S" -> deletes student ["A"] of school "S"

So a user that has only permissions to edit teachers can delete students (and vice versa).
Comment 4 Daniel Tröder univentionstaff 2017-09-07 13:15:45 CEST
Code: 6dd25d22a1b1fad7fa7fd9560595f24bfdeaf9a2
Advisory: 1662c6eee15ebc71d96ce6c459f9055a2ea97696
Package: ucs-school-import
Version: 15.0.0-37A~

LDAP filter were adjusted to take config[user_role] into account. If the user_role was not set globally, the filter (objectClass=ucsschoolType) allows imports where the user type is in the input data (for example from ucs-school-testuser-import).
Comment 5 Daniel Tröder univentionstaff 2017-09-11 10:17:49 CEST
Restrict the list of schools in the API to those the logged in user has permissions to start imports on.
Comment 6 Daniel Tröder univentionstaff 2017-09-11 12:04:23 CEST
The API service now only lists those schools a logged in user has the permission to start an import for at least one user role.

Code: 813447ea30ca9f038ce29dd2456c7302424ca081
Advisory: 0adea3f266342bb042acc894a74fbe789b9233c2

Package: ucs-school-import
Version: 15.0.0-39A~
Comment 7 Daniel Tröder univentionstaff 2017-09-14 17:42:09 CEST
ucs-school-import 15.0.0-42: remove debug debris
Comment 8 Daniel Tröder univentionstaff 2017-10-11 11:25:03 CEST
887b0bd4: fix ldap filter for import permissions
ucs-school-import 15.0.0-50A~

ucs-school-import now depends on ucs-school-lib version 10.0.2-8 because of Bug #45504
Comment 9 Florian Best univentionstaff 2017-12-01 17:58:16 CET
Changes look good.
Comment 10 Sönke Schwardt-Krummrich univentionstaff 2017-12-21 12:22:59 CET
UCS@school 4.2 v6 has been released.


If this error occurs again, please clone this bug.