Bug 45044 – support restrictions for user imports

Bug 45044 - support restrictions for user imports


Summary:	support restrictions for user imports

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	Import scripts
Version:	UCS@school 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS@school 4.2 (HTTP-API-MVP)
Assigned To:	Daniel Tröder
QA Contact:	Florian Best

URL:
Keywords:

Depends on:	45503 45504
Blocks:	45024
	Show dependency tree / graph

Reported:	2017-07-19 11:55 CEST by Daniel Tröder
Modified:	2017-12-21 12:22 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Feature Request
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Tröder

2017-07-19 11:55:47 CEST

Add support to the UCS@school import framework to restrict a user import job to only change (c/u/d) users that are:
* member of a school that is in a configured list of schools
* of a certain type {staff, student, teacher} (to modify teacherStaff both staff and teacher must be allowed)

The school and user-type lists should be configurable in a json configuration file (see ucs-school-4.2/ucs-school-import/usr/share/doc/ucs-school-import/user_import_configuration_readme.txt).

Comment 1 Daniel Tröder

2017-07-19 11:59:47 CEST

* document the options in user_import_configuration_readme.txt
* create a ucs-test that fails and succeeds at importing all combinations of permissions (school X type)

Comment 2 Florian Best

2017-08-09 14:08:51 CEST

As discussed, this doesn't seem to be necessary.

Comment 3 Daniel Tröder

2017-09-07 12:47:37 CEST

It is necessary, because the searches for users, when determining which ones to add or delete, do currently not take the configured user role into account. But that is necessary as is is currently possible to do:
1. import students ["A"] of school "S"
2. import teachers ["B"] of school "S" -> deletes student ["A"] of school "S"

So a user that has only permissions to edit teachers can delete students (and vice versa).

Comment 4 Daniel Tröder

2017-09-07 13:15:45 CEST

Code: 6dd25d22a1b1fad7fa7fd9560595f24bfdeaf9a2
Advisory: 1662c6eee15ebc71d96ce6c459f9055a2ea97696
Package: ucs-school-import
Version: 15.0.0-37A~4.2.0.201709071259

LDAP filter were adjusted to take config[user_role] into account. If the user_role was not set globally, the filter (objectClass=ucsschoolType) allows imports where the user type is in the input data (for example from ucs-school-testuser-import).

Comment 5 Daniel Tröder

2017-09-11 10:17:49 CEST

Restrict the list of schools in the API to those the logged in user has permissions to start imports on.

Comment 6 Daniel Tröder

2017-09-11 12:04:23 CEST

The API service now only lists those schools a logged in user has the permission to start an import for at least one user role.

Code: 813447ea30ca9f038ce29dd2456c7302424ca081
Advisory: 0adea3f266342bb042acc894a74fbe789b9233c2

Package: ucs-school-import
Version: 15.0.0-39A~4.2.0.201709111200

Comment 7 Daniel Tröder

2017-09-14 17:42:09 CEST

ucs-school-import 15.0.0-42: remove debug debris

Comment 8 Daniel Tröder

2017-10-11 11:25:03 CEST

887b0bd4: fix ldap filter for import permissions
ucs-school-import 15.0.0-50A~4.2.0.201710111122

ucs-school-import now depends on ucs-school-lib version 10.0.2-8 because of Bug #45504

Comment 9 Florian Best

2017-12-01 17:58:16 CET

Changes look good.
OK: YAML

Comment 10 Sönke Schwardt-Krummrich

2017-12-21 12:22:59 CET

UCS@school 4.2 v6 has been released.

http://docs.software-univention.de/changelog-ucsschool-4.2v6-de.html

If this error occurs again, please clone this bug.