Univention Bugzilla – Bug 50031
Allow user import via UMC with school and role gathered from import data
Last modified: 2023-10-26 14:39:27 CEST
The user import module requires the user to select a school and role for the users they're about to submit import data for. A customer wants to get this information from the import data without the importing user having to specify it. Maybe we could change the module as follows: - Two new UCR vars to deactivate the school/role selection in the UMC module - If the var is set the module just uses the mapping defined in the import configs - If there is no mapping for school or role the import fails It would be nice if this was possible especially because the import can do this technically but only via the CLI afaik.
The user that wants to start an import must be in an import-group that allows the school+role selection. Without this limitation a teacher from SchoolA can delete users from SchoolB. It was a conscious design decision to keep the permission checks in the Import-HTTP-API (aka Newton API) instead of having it in the import framework. The permissions apply to the "schools" property, and thus also to the "school_classes" property. There are two possibilities to implement this: 1) check permissions in the import framework when creating/modifying/moving/deleting users 2) check permissions in the Newton API by parsing the CSV file The latter is less secure, because it wouldn't detect the transfer of users from a prohibited OU into one of the allowed OUs. The problem: currently the "source_uid" is calculated as "$OU-$ROLE". Thus existing members of other OUs cannot be modified, moved or deleted because they are simply not part of the set of user objects of that source_uid. When the source_uid cannot be used anymore as a limiting factor for the import, searches for users using the record_uid can reveal users of other OUs. So it really has to be done in the import framework (option 1): The permissions have to be available in the import and in all operations (create/modify/move/delete) the properties "school", "schools" and "school_classes" have to be checked.