Service instance edit and delete permissions tied to Django permissions #131

New issue

Closed

opened 2025-06-30 13:06:03 +00:00 by tobru · 1 comment

tobru commented

2025-06-30 13:06:03 +00:00

Owner

Description

Looking at the code (https://servala.app.codey.ch/servala/servala-portal/src/branch/main/src/servala/frontend/views/service.py#L222-L227) and if I understand it correctly, the "has_change_permission" and "has_delete_permission" checks are tied to the Django permission system. This is suboptimal, as we don't specifically give permissions to user.

Change

Change these checks so that a member of the organization the service instance belongs to with the "Owner" or "Administrator" role has change and delete permission.

## Description Looking at the code (https://servala.app.codey.ch/servala/servala-portal/src/branch/main/src/servala/frontend/views/service.py#L222-L227) and if I understand it correctly, the "has_change_permission" and "has_delete_permission" checks are tied to the Django permission system. This is suboptimal, as we don't specifically give permissions to user. ## Change Change these checks so that a member of the organization the service instance belongs to with the "Owner" or "Administrator" role has change and delete permission.

tobru added the

bug

label 2025-06-30 13:06:03 +00:00

rixx was assigned by tobru

2025-06-30 13:06:03 +00:00

tobru added this to the Development Planning project 2025-06-30 13:06:03 +00:00

tobru referenced this issue from a pull request that will close it,

2025-07-07 11:11:53 +00:00

Use organization role to check for edit and delete perms of service instances #148

tobru self-assigned this 2025-07-07 11:12:04 +00:00

rixx was unassigned by tobru

2025-07-07 11:12:04 +00:00

rixx commented

2025-07-11 10:28:12 +00:00

Member

The permissions should be using django-rules – we use the idiomatic User.has_perm() which delegates to auth frameworks like django-rules. We currently set the model permission rules in the rules_permissions field on the Model.Meta class for organizations and for service instances.

I opened #151, which restricts permissions as indicated in the other PR, but also makes a change so that staff users can use the admin interface (which they technically were able to already – given URLs to objects. However, the dashboard with the initial object links was hidden from them due to the missing permission rule).

The permissions should be using django-rules – we use the idiomatic `User.has_perm()` which delegates to auth frameworks like django-rules. We currently set the model permission rules in the `rules_permissions` field on the `Model.Meta` class for organizations and for service instances. I opened #151, which restricts permissions as indicated in the other PR, but also makes a change so that staff users can use the admin interface (which they technically were able to already – given URLs to objects. However, the dashboard with the initial object links was hidden from them due to the missing permission rule).

tobru closed this issue

2025-07-11 14:56:51 +00:00