feat: adding a note explaining userroles available #1528

dayures · 2025-03-21T07:40:42Z

Based on https://community.dhis2.org/t/user-cannot-access-roles-when-creating-another-user/2984/2 from @larshelge

@larshelge

Based on https://community.dhis2.org/t/user-cannot-access-roles-when-creating-another-user/2984/2 from @larshelge

jason-p-pickering

Thanks @dayures . I think we should go a bit further here. The important concept is that users

Should not be able to give away their own roles due to the security issues you mention
Only grant other users roles which themselves are a subset of their own role/roles.

While I think we can point out how to enable users giving away their own roles, I think we should provide a much clearer warning about what you generally do not want to do this.

dayures · 2025-04-08T14:03:15Z

@jason-p-pickering what do you think about adding this line at the beginning? "By default, to prevent security issues, users are not be able to give away their own roles. Users should only be able to grant other users roles that are a subset of their own."

feat: adding a note explaining userroles available

7bf09f0

Based on https://community.dhis2.org/t/user-cannot-access-roles-when-creating-another-user/2984/2 from @larshelge

jason-p-pickering requested changes Apr 8, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: adding a note explaining userroles available #1528

feat: adding a note explaining userroles available #1528

dayures commented Mar 21, 2025

jason-p-pickering left a comment

dayures commented Apr 8, 2025

feat: adding a note explaining userroles available #1528

Are you sure you want to change the base?

feat: adding a note explaining userroles available #1528

Conversation

dayures commented Mar 21, 2025

jason-p-pickering left a comment

Choose a reason for hiding this comment

dayures commented Apr 8, 2025