New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New (admin) user has no permissions in Console #1162
Comments
@w4tsn what's your configuration? Are you requiring admin approval for new users? Can you show the output of |
Case 1:
Case 2:
I'll update env section with my case 1 configuration. In case 2 I did also not excplicitly set admin approval. The config state admin approval required = false |
I can confirm that the issue can be reproduced on 3.1.0. Also, in the above outputs since the state is not mentioned, it is zero, which means |
Also found the cause: lorawan-stack/pkg/identityserver/user_registry.go Lines 149 to 156 in 55381c1
Users created by an admin do not respect the admin approval setting and always have state default ( STATE_REQUESTED ). Is this intended @htdvisser ?
|
If a user is created by an admin, the If the user is not created by an admin, we assume that their goal is to get approved, and automatically do that if nothing (admin approval requirement) prevents that. They can never make themselves admin from the start. The "create user by admin" functionality in the web UI will make it more clear that the |
With #1190, which includes the functionality I described in my previous comment, I think this issue can now be closed. |
Summary
When creating an admin user in the CLI it may happen that this user has not sufficient rights in the Console to create or edit Gateways and Applications. In another case a new normal user has also no permissions in the console to do anything. It might be a bug or just missing documentation on how to create users properly.
Steps to Reproduce
I'm not completely sure. It's two cases here that may be related to the same cause. In the first case I'm operating on a machine which was not setup by me and I have limited information on the process.
Case 1: foreign stack; setup as version 3.0.0 and upgraded to 3.1.0 before using the Console.
--admin
user (5 .login to console and try to create a Gateway.
*What happend on upgrade was that the Console creation process was done with wrong uris, so we deleted the console client in the database and re-used the
is-db
command. Maybe we screwed up here.Case 2: On my setup:
ttn-lw-cli users create norman --name norman --primary-email-address norman@localhost
using the admin user from getting-startedWhat do you see now?
In either case the Console responds with
Insufficient rights for user 'myuser'
after entering the details and hitting theCreate Gateway
orCreate Application
button.In the browser console there is nothing unusual. The network tab shows a 403 Forbidden response from ttn.
When creating an application over the CLI with the admin user and assigning it to the user in question, the user may see the application/gateway but clicking on it yields in a 403 Forbidden.
What do you want to see instead?
In any case I'd expect a new created user to be able to at least create gateways and applications for itself and be able to open their views when added as collaborator.
I'd also expect more documentation on the user creation process and how to manage user rights.
Environment
The Things Network Stack for LoRaWAN: ttn-lw-stack Version: 3.1.0 Go version: go1.12.7 OS/Arch: linux/amd64
Case 1 config:
stack-config.txt
How do you propose to implement this?
Unfortunately I have no idea where the problem lies.
Can you do this yourself and submit a Pull Request?
I may not be able to implement a fix but I can provide the documentation for the user creation and rights management.
The text was updated successfully, but these errors were encountered: