HOLD: Permissions: Can View User Profile: All Fields
Description
Environment
Potential Workaround
is blocked by
relates to
Checklist
hideTestRail: Results
Activity
Jakub Skoczen March 20, 2017 at 11:04 AM
Guys, after chatting with Cate we have decided to postpone work on the restricted fields for now until we get more use cases. So any mention of restricted fields in this or other stories should be ignored for now.
Mike Taylor March 16, 2017 at 10:38 AM
Thanks.
Jakub Skoczen March 16, 2017 at 10:36 AM
I put it as "for-next-sprint" and unassigned.
Mike Taylor March 16, 2017 at 10:25 AM
I agree.
So what should be the fate of this issue? Closing it as WONTFIX seems harsh; we have no close-reason LATER, which better summarises what's we've concluded. Can we maybe just reset it to TODO and take it out of sprint10? I don't like to have it hanging over me as unfinished work in the sprint.
Jakub Skoczen March 16, 2017 at 10:22 AM
You are probably right and I think it's okay to spend some time next sprint investigating this. The main reason why I am not crazy about "just implementing" this is that it complicates our data modelling: we no longer can use just a simple JSON schema to capture the fields as suddenly objects the clients see depends on his permissions. Sure we can make everything optional or dynamic in the schema and enforce rules in the code. Let's just make sure we really have to.
Details
Details
Assignee
Reporter
Priority
P3
Purpose: Improve permissions handling so that assigned permissions control what options are presented to the user within FOLIO (currently all options are presented and you get an error when you attempt something you don't have rights to). The focus of this story is the "Can view user profile: all fields" permission. Other stories will be added for other permissions.
*NOTE: This story is on hold, as we are waiting for more use cases for restricted fields before implementing..
Scenarios:
Scenario
Given User A has been assigned the "Can view user profile: all fields" permission ONLY
When FOLIO is displayed
Then User A has the following rights:
Users app is visible in Recent Applications Toolbar
Basic user data can be searched and filtered in Users app
Basic user fields can be viewed
Restricted user data can be searched and filtered in the Users app
Restricted user fields can be viewed
Direct linking to User search, results and details is allowed
Scenario
Given User A has been assigned the "Can view user profile: all fields" permission ONLY
When FOLIO is displayed
Then User A does NOT have the following rights:
Basic user fields can be edited
Restricted user fields can be edited
User Edit button/icon is visible
Direct linking to Edit User page is allowed
Create new user button is visible
User creation is permitted
Direct linking to Create User page is allowed
Can view permissions assigned to users
Can assign and unassign permissions to users
Settings app is visible in Recent Applications Toolbar
"User permissions" link is visible under Settings > Users
User permission sets can be created, read, updated and deleted
Scenario
Given I don't have rights to direct link to Page A
When I direct link to page A (e.g. I paste the url into my browser)
Then I should see the following message:
Header/Title: Permission Error
Text: Sorry - your user permissions do not allow access to this page.
NOTE: This is an edge case and it doesn't need to be pretty, but we do need to make sure it works so there's no back door to access things you shouldn't be able to access. We're flexible on how we do this.
Scenario
Given User A has been assigned the "Can view user profile: all fields" permission AND another permission or set
When FOLIO is displayed
Then User A shall have the cumulative set of rights from all assigned permissions
Additional Info: A graphical representation of the rights by base permission can be found in this google sheet. Please note that the scope of the sheet is much larger than this particular story (and even includes some items that are out of scope for v1). Please reference the scenarios in this story for story scope.