Admins are now forbidden from promoting users to Super Admin. #440
Conversation
JohnServo24
changed the title
components/forms/AddToGroupsForm.js
Outdated
| @@ -8,7 +8,11 @@ export default function AddToGroupsForm({ groups }) { | |||
| const { values, errors, touched } = useFormikContext(); | |||
| const { capabilities } = useContext(CacheContext); | |||
|
|
|||
| const systemSupplied = groups.filter((group) => group.isSystemSupplied); | |||
| const systemSupplied = groups.filter((group) => { | |||
| if (group.id === SUPER_ADMIN_ID && !capabilities.includes(promoteToSuperAdmin)) return; | |||
There was a problem hiding this comment.
We do not check group membership. We do not deal with groups. The concept of groups is an illusion. It does not exist. We only deal with capabilities.
| @@ -16,21 +16,34 @@ export default function AddToGroupsForm({ groups }) { | |||
| <h4 className="mb-4">Groups</h4> | |||
| <h5>System supplied</h5> | |||
| <div className="groups__container"> | |||
| {capabilities.includes(promoteToSuperAdmin) && <div className="groups__item" > | |||
There was a problem hiding this comment.
I'm not comfortable giving 'Super Admin' special treatment.
I suggest we use the parameterized capabilities, so we have something like:
promote_to(super_admin)
promote_to(admin)
promote_to(registered_user)
etc.
There was a problem hiding this comment.
The promoteToSuperAdmin variable is somewhat similar to that. It's a variable that can be found from the constants folder
It is equivalent to this: const promoteToSuperAdmin = '${assignToGroup}(${SUPER_ADMIN_ID})';
Where assignToGroup is the assign_to_group capability and the SUPER_ADMIN_ID is the id # of the Super Admin group, therefore it is equal to assign_to_group(1)
Should I specifically change this to capabilities.includes('promote_to(super_admin)'), where promote_to(super_admin) is a string? (or maybe capabilities.includes('assign_to_group(1)')
GET /api/groupswill still return theSuper Admingroup even if a user doesn't have thepromote_to_super_admincapability.read_groupscapability, they should be able to read all of the groups. Please correct me if I'm wrong here.AddToGroupsForm.js. This component is used to add/edit the groups of a user.promote_to_super_admin, show theSuper Admincheckbox.Super Admincheckbox.read_groupscapability, but they don't have thepromote_to_super_admincapability, the CMS will forbid them from adding themselves or other users to theSuper Admingroup.