Ecoverse admin rights question

[FloriSpoelstra]

It appears that ecoverse admins have admin rights for every ecoverse (and not just their own).

[Comoque1]

Regarding Ecoverse admins - they have the rights to see the data related other Ecoverses and intending to save the changes is blocked by the authorization policies.

@techsmyth, probably, we should disable the possibility for an user to see entities (in edit mode), to which doesn't have right permissions "update/delete/write".

[FloriSpoelstra]

Ah ok, that explains!

I would nevertheless prefer that we block the possibility to view the back-end of ecoverses you are not an admin of. Even though I can't make any changes to it, it does feel like I have access to stuff I am not supposed to have access to.

[techsmyth]

Hi Flori,

Agreed that would ideally not show options that a user cannot carry out. There is a placeholder for this, but well down the backlog at the moment: #334 - but might need to come up somewhat.

Evgeni: your comments are spot on, only addition is that also the ability to read is protected by the server authorization - so if Flori tries to for example "see" the list of challenges inside the hague ecoverse this would also not work.

Cheers, Neil

[FloriSpoelstra]

Hi Neil, are you sure about that? I am quite sure Wouter told me he could go into our challenges via the backend. I can't check it right now since I am still a (temporary) global admin.

[Comoque1]

Flori, Neil, you both are right! :)

1. Flori would not be able to see "the hague" challenges, if she wasn't any kind of member, Ecoverse admin or global admin. Currently, that is not the case, as she is part of the community.
2. Wouter can see "digicampus" challenges, as the ecoverse is not private. He should also be able to see them from the client, not only from graphql.

[techsmyth]

Hi Flori,

It is indeed as Evgeni says: your challenges are already visible publicly, so Wouter would have been able to read them. He would not have been able to read the contents of the challenges from The Hague ecoverse as they are private. Might be interesting for him to try that out. Note indeed that you are currently global admin so you can see everything.

The authorization is enforced at the server, so any client connecting in has the same visibility: whether it is the default web client that you primarily use, or the graphql api that you sometimes use :) Or some other interface.

Hope this helps, happy to chat through more. It is key that the authorization is enforced at the server in order to be secure as a platform.

Cheers, Neil

[FloriSpoelstra]

Ok thanks! Sounds good. Once I am back on ecoverse admin I will try it out.