Proposal for a charge of the user/group creation flow.

[RevREB]

Disclaimer: I am just starting to read thru the code to see how best to do tweaks to make a pull request)

I love the simplified LDAP service. BUT...
Without getting to complicated about the User/Group creation process... (other idea for later)...

The adding a user to a group should be handled in the Group files. Not in the User files.
Doing this a User can create their own user file.
Then the Group Owner would alter the Group file to "invite" that user.
This way commit controls can be applied to the group files, and some extra security will be applied to the creation process.

Would there be a complaint to modify the loop to be...

1. Create users as "group less"
2. Create Groups
3. Add users to groups
   (above is of course over simplified)

I don't wanna go down a route no one is interested in.

[nitnelave]

I think I see where you're coming from: in the lowest levels of implementation, the function that adds a user to a group is in the same file as the user operations. But that doesn't mean that users can add themselves to a group. The checks for permissions are done at a higher layer, either at the LDAP layer or the GraphQL one. The only users who can change group memberships, either adding or removing users from groups are the admins (members of the lldap_admin group).

I invite you to play around with the interface, create a new user and a new group, then log in as that user and try to add yourself to the group: as an unprivileged user, you won't even be able to see the group.

[RevREB]

Im actually pulling outside of the APP and am 100% in the Git side of things... the User.Json and Group.json files. The controls I was talking about are in GIT, via CODEOWNERS

[nitnelave]

I'm not quite sure what you're referring to. There is no user.json file in the project, we don't really use json anywhere.

Are you talking about the web frontend? All the permissions are checked on the backend. Even if you could through some error click on a button adding a user to a group, if you were not logged in as an admin the operation wouldn't succeed.

Are you worried that someone would introduce unwanted changes to the code? All changes have to go through pull requests, and they're all reviewed by me. If we're talking about locking down commit rights, they're locked down to just me, essentially.

[RevREB]

I am refering to the files used with the Bootstrap.sh script.

[martadinata666]

That script is user-contributed. To accommodate automated LLDAP deployment that essentially imports the value of the json file and uses graphl to do "things". Feel free to add refinement.

[RevREB]

awesome! that helps... then the 2nd tier changes i was thinking adding of i might as well just do :) All user management via GitOPS... :) give me a few days :)