On čtvrtek 19. ledna 2017 8:44:59 CET Lukas Zapletal wrote: > > Let's continue the discussion here since it might read more people. I > > think > > that as a user I don't care that my installation consists of core and > > several plugins and I want to have Viewer role that gathers all view > > permission for the whole app. > > > > This does not in conflict with also providing "$plugin Viewer" and > > "$plugin > > Manager" roles so if user wants to create a user group from subset of > > permission he can still do it. > > > > If you want to keep current Viewer and Manager roles to contain only core > > permissions then I'd suggest renaming them to Core Viewer and Core Manager > > The price for that is too high in my eyes. I think these roles and > permissions should be strictly separated for now and forever and we > need to come up with different approach of handling that. What I like > the best is a help text, better documentation and renaming the core > roles to something that is more obvious. > > Allowing plugins to modify core roles will end up with a mess that is > very difficult to clean! Both adding and deleting permissions for > existing roles during upgrades is very challenging, we usually want to > tell administrators "hey, danger ahead, during upgrade all these users > will get/lost some permissions" so it's a dilemma to do this via > migration/seed or explicitly ask the user to do the change in upgrade > notes. When reviewing these changes, we need to be careful and we are > doing great job in core, but I wonder what happens if we open the > doors to any plugin to basically play around with the two most > important roles in the application.
Sorry I don't get it, especially the price. What's the difference between core and plugins in terms of permissions upgrades? If you rename plugin permission you need to provide the same migration as if you renamed it in core. Currently we don't support plugin uninstallation, when we do we'll likely have a tool to say which permission should be removed. The only other option I see to make this usable is to precreate user group that plugins would assign their roles to. But I'd say that's the same thing just in different model. The user reports (see the mirroring BZ [1]) and especially the way they were reported convinces me we need to change the current status. If users open issues because they can't see a button even when they have role "viewers" then I think it's our fault. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1304608 -- Marek -- You received this message because you are subscribed to the Google Groups "foreman-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
