Hi everyone,
I am testing the load_roles function for adding custom roles to the Hub and if I add a group name to the role specification and no users, the members of the group are not assigned to the role (checked in admin panel at the role listing).
Here is how the role setting looks like:
My question is: Can the members of the group receive the scopes from the group’s role, even if the role isn’t assigned to them directly in the database?
Many thanks in advance!
I have just tested and the group role is inherited by the members. Perhaps it should also be shown in the admin control panel for transparency?
You’re right, the users do have this role, but it is not in the user model. So the behavior is what you want, though the admin UI doesn’t show you the info you want. I think we still still need to be able to distinguish between roles assigned directly and roles assigned via groups, so just extending the single list may not be right. But indeed, there are two lists of roles for each user:
One reason for keeping the distinction is that you can’t remove a role from a user if it’s granted by group membership.
Via the API, the way to do this is to iterate through the groups and get their roles, to merge with the user’s own roles. We could also expand the group model on users to dicts containing name and roles so this can be retrieved in a single model, or add a single list to the model that is all the assigned roles.
Maybe the more direct answer is that the admin pages need more links and group management UI (e.g. user → group name → link to group view → shows group roles). That’s how things like GitHub usually organize things - when viewing a user you see a user’s directly-granted permissions and their team membership, but you don’t see the user’s permissions as a result of team membership without visiting the team info page (or in GitHub’s case, the contributors list which shows the team but you have to click through to see its members)