Zhifan Created Pause User Permission #1196
Conversation
| if (!(await checkPermission(req, 'getUserProfiles') || | ||
| await checkPermission(req, 'pauseResumeUser'))) { |
There was a problem hiding this comment.
| if (!(await checkPermission(req, 'getUserProfiles') || | |
| await checkPermission(req, 'pauseResumeUser'))) { | |
| if (!(await checkPermission(req, 'getUserProfiles'))) { |
You could have someone without 'getUserProfiles' where you only want them to be able to pause people on their team or people otherwise accessible without needing access to everyone.
There was a problem hiding this comment.
Team leaders should not be able to pause people on their team. Confirmed with Jae that people with permission to pause anyone should have access to the user management page, which fetches all users.
| !((await hasPermission(req.body.requestor, 'changeUserStatus') | ||
| || await hasPermission(req.body.requestor, 'pauseResumeUser')) | ||
| && canEditProtectedAccount) |
There was a problem hiding this comment.
This would allow 'pauseResumeUser' to also do what 'changeUserStatus' can do (setting final day for users?).
I don't fully understand why these need to be separate permissions, but they should be different. I asked how this should be handled in the bugs doc.
There was a problem hiding this comment.
The pauseResumeUser function does not allow users to set the final day because the “Set Final Day” button only appears when the condition const canEdit = canEditUserProfile || isUserSelf;is met. Additionally, users cannot set the final day unless they have the changeUserStatus permission.
The changeUserStatus function manages various user status transitions, including deactivating a user, which can occur with or without a time constraint if one is provided. It handles pausing a user, setting the final day, and directly deactivating a user. All these actions request the same endpoint to toggle the user’s status between active and inactive. Access to these different functionalities is differentiated by the frontend. In the original implementation, deactivating a user with a time constraint required multiple permissions.
For potential security concerns, the pause user functionality has been fully isolated from this function.
Description
Related PRS (if any):
This backend PR is related to the #3023 frontend PR.
To test this backend PR you need to checkout the #3023 frontend PR.
…
Main changes explained:
…
How to test:
npm installand...to run this PR locallyScreenshots or videos of changes:
Note:
Include the information the reviewers need to know.