Open-event-server: Permissions are not editable in admin tab
On https://eventyay.com/admin/permissions/#!eventroles the eventroles are not editable by the "admin" role.
Related to: https://github.com/fossasia/open-event-orga-server/issues/3195#issuecomment-279359247
mariobehling
All 12 comments
@mariobehling I would like to work on this. I will send a fix soon :)
Princu7
on 13 Feb 2017
@Princu7 Can you confirm that the functions work? As a co-organizer I still receive the info "error saving" even though the co-organizers received all permission. Maybe there are permissions that we do not cover yet?
mariobehling
on 13 Feb 2017
@mariobehling Yeah, sure. I will have a look at the cause of the error :)
Princu7
on 14 Feb 2017
@mariobehling @niranjan94 The permissions are saved correctly. The problem occurs when the co-organizer saves the changes he made. Currently, we send an AJAX request to save the modifications. Inside the main event route to which the request is sent, we only check whether the current user is staff or organizer of that event or not. We don't do any additional checks. This is the reason why the request is aborted and we receive the info "error saving".
Here is the little code snippet responsible for the error
if not current_user.is_staff and not current_user.is_organizer(event_id):
abort(403)
To do it correctly, we have to check the other roles of the current user in that event. And check whether he has the permissions to make the changes requested or not.
I am trying to fix this issue. If I understood something wrong, please correct me :) Thanks!!
Princu7
on 14 Feb 2017
@Princu7 you're right. Could you make a PR with the fix. ?
niranjan94
on 15 Feb 2017
@niranjan94 Sure. I am working on it. Will send a patch soon :)
Princu7
on 15 Feb 2017
@niranjan94 @mariobehling I have done some work on this issue but there are many points which I want to discuss.
Here is the test server: http://ancient-thicket-44821.herokuapp.com
The added items are now being saved.
Admin Credentials:
user-id: [email protected]
password: fossasia
Co-Organizer Credentials(of the event _Hurry_)
Event link: http://ancient-thicket-44821.herokuapp.com/events/8/
user-id: [email protected]
password: fossasia
We have CRUD permissions for different event roles like co-organizer for entities like _sessions, speakers, sponsors, tracks and microlocations_. In the _wizard_ step 1, where we change the details regarding the event, which permissions category should it fall under?. How should we decide whether the co-organizer or any other person having a different event_role is authorized to change the details of the event like _start_date, end_date, tickets_ etc?
I have made a PR. It's a work in progress. Currently, I have only authorized the organizer to change the event details in the step1 as I wasn't sure about how to decide this step for other event roles. Please review the test server and PR and guide.
Here is the PR link #3205
Princu7
on 17 Feb 2017
@Princu7 for now, give the co-organizer the same permissions as the organizer by default.
niranjan94
on 17 Feb 2017
For the wizard mods, all Co-organizers and organizers should have the permission
niranjan94
on 17 Feb 2017
Good work on #3205 . have added some comments.
But before that, could you quickly fix such that co-organizers have the same perms as organizers ? Since this is a priority right now. After that we can discuss and come to a proper plan for more detailed permissions.
niranjan94
on 17 Feb 2017
@niranjan94 Thanks for the review :) Just to be absolutely clear, we are intending to give full rights to co-organizer for all the wizard steps regardless of the permissions specified for that role in the admin section?
Princu7
on 17 Feb 2017
Opened a new PR #3209
Princu7
on 18 Feb 2017
Related issues
CosmicCoder96
路
4Comments
Aju100
路
4Comments
SaptakS
路
3Comments
iamareebjamal
路
4Comments
aviaryan
路
3Comments