"Can create user" does not include usergroups.collection.get resulting in an error popup
Description
And so does "Can view user profile" and all other perm sets that allow operating the Users app. Users app is not fully functional if the usergroups cannot be retrieved.
Immediate solution is to add usergroups.collection.get to the visible sets in mod-users-bl.
Alternatively the permission can be handled transparently by mod-users-bl in the "composite" user records endpoint. This, however, most likely contrary to how we have decided to treat storage-level permissions in the composite enpoints – we have talked on relying on the fact the user has storage-level permissions assigned directly and not the module handles them through modulePermissions.
So it seems either way they should end up in the set.
Yes, it's terribly confusing how the workflow is different on different project. It' going to help a lot not to have to guess how to effect state transitions all the time.
Cate Boerema June 14, 2017 at 10:35 AM
Still getting an error in demo-test so I'm guessing this fix hasn't made it there yet. I'll check back later. I wish I could switch this issue to In Review to remind myself. I'll talk to Jakub about getting all these projects on the same workflow.
Mike Taylor June 13, 2017 at 11:08 AM
It took me a while to come round to this position (to 's frustration, I suspect!) but I landed there in the end! And we have a sort-of-plan.
Heikki Levanto June 13, 2017 at 11:05 AM
I agree, very much. I freely admit that building these sets in mod-users-bl is a dirty hack.
Mike Taylor June 13, 2017 at 10:53 AM
Jakub and I discussed this on the #sprintreview channel (which, yes, was a dumb place for the conversation). We concluded what I guess we've known for a while – that these kinds of very high-level permissions that include low-level permissions from several low-level modules are really describing UI operations.
Only ui-users knows that "create user" involves being able to read the user-groups, so that one can be chosen for the new user; so it should really be the ui-users module that defines the permission that makes it happen. This is the subject of FOLIO-636.
And so does "Can view user profile" and all other perm sets that allow operating the Users app. Users app is not fully functional if the usergroups cannot be retrieved.
Immediate solution is to add usergroups.collection.get to the visible sets in mod-users-bl.
Alternatively the permission can be handled transparently by mod-users-bl in the "composite" user records endpoint. This, however, most likely contrary to how we have decided to treat storage-level permissions in the composite enpoints – we have talked on relying on the fact the user has storage-level permissions assigned directly and not the module handles them through modulePermissions.
So it seems either way they should end up in the set.