Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(examples): fix access control model for Users. #10102

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

rikrose
Copy link

@rikrose rikrose commented Dec 20, 2024

In the multi-tenant example, the access control model is broken - a tenant-admin could create, edit and delete super-admins, and make other users and themselves in to super-admins. This contribution fixes it so that:

  • Only super-admins can create/edit/delete super-admins.
  • Restrict tenant-admins from activities outside tenants they are admins for. Have not verified that this stops tenant-admins from editing users outside of their own tenants.
  • Removes the button to Create/Delete in the admin console if the user is not a super-admin or tenant-admin.

Link to discussion on Discord: https://discord.com/channels/967097582721572934/1319199782996283443

…can create/edit/delete super-admins. Restrict tenant-admins from activities outside tenants they are admins for. Have not verified that this stops tenant-admins from editing users outside of their own tenants.
@rikrose
Copy link
Author

rikrose commented Dec 20, 2024

Basically the same logic in both changed files, which are only for access control to the Users collection in the multi-tenant example.

@rikrose rikrose marked this pull request as ready for review December 20, 2024 16:15
@rikrose
Copy link
Author

rikrose commented Dec 20, 2024

Fixing formatting, per suggestion on Discord. Also took the opportunity to the same logic phrased the same way in both files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant