Replies: 1 comment 6 replies
-
I think I see where you're coming from: in the lowest levels of implementation, the function that adds a user to a group is in the same file as the user operations. But that doesn't mean that users can add themselves to a group. The checks for permissions are done at a higher layer, either at the LDAP layer or the GraphQL one. The only users who can change group memberships, either adding or removing users from groups are the admins (members of the lldap_admin group). I invite you to play around with the interface, create a new user and a new group, then log in as that user and try to add yourself to the group: as an unprivileged user, you won't even be able to see the group. |
Beta Was this translation helpful? Give feedback.
-
Disclaimer: I am just starting to read thru the code to see how best to do tweaks to make a pull request)
I love the simplified LDAP service. BUT...
Without getting to complicated about the User/Group creation process... (other idea for later)...
The adding a user to a group should be handled in the Group files. Not in the User files.
Doing this a User can create their own user file.
Then the Group Owner would alter the Group file to "invite" that user.
This way commit controls can be applied to the group files, and some extra security will be applied to the creation process.
Would there be a complaint to modify the loop to be...
(above is of course over simplified)
I don't wanna go down a route no one is interested in.
Beta Was this translation helpful? Give feedback.
All reactions