[User groups][Members] Implement 'User ID Overrides' section #548

carma12 · 2024-09-10T15:06:27Z

The 'User groups' > 'Members' > 'User ID Overrides' section needs to be implemented and its components adapted to reflect the same behavior as in the modern WebUI (e.g., its 'Add' modal is slightly different than in other sections).

How to reproduce (from current WebUI)

Create a new ID View and some Active users (these will be associated later)
Go to the new ID View settings page
In the 'Overrides' tab section, add the newly-created users
Create a new User group and go to its 'Members' > 'User ID Overrides' section
Add any of the users associated to the ID View

Problem

It seems to be an issue that affects the addition and removal of User ID Overrides items. This is affecting both current and modern WebUI. Video that reproduces the issue.
Further investigation and possible report will be done on this.

src/components/Members/AddModalBySelector.tsx

src/components/Members/MembersUserIDOverrides.tsx

src/pages/UserGroups/UserGroupsMembers.tsx

carma12 · 2024-09-11T09:19:46Z

@mreynolds389 - I corrected the code based on your comments. The implementation of the tests are not possible at this point because it requires to add new ID Views and assign users from the 'Overrides' section, and that functionality is not implemented yet in the modern WebUI. So I will create an issue to track this and not forget about it. Feel free to keep reviewing, thanks!

carma12 · 2024-09-11T09:22:45Z

New issue for the tests created: #549

The 'User groups' > 'Members' > 'User ID Overrides' section needs to be implemented and its components adapted to reflect the same behavior as in the modern WebUI (e.g., its 'Add' modal is slightly different than in other sections). Signed-off-by: Carla Martinez <[email protected]>

abbra · 2024-09-16T12:45:40Z

So, the core of the problem is that we only should be allowing ID overrides from 'Default Trust View' to be added to groups as 'ID overrides'. These are the only ones that matter because the groups in questions will be used for LDAP access controls. Access control in LDAP will be done against LDAP DN of the bound account which can only be mapped to the entry in "Default Trust View" ID View and not any other ID view.

So we'd need to fix following:

IPA server side needs to prevent adding ID overrides from any other ID view than 'Default Trust View'.
Web UI needs to not show any other ID view than 'Default Trust View' when allowing to choose an ID override to add to a group as a member

carma12 · 2024-09-17T07:37:55Z

This PR won't be merged due to some existing errors in IPA (reported here and here). We will wait until those are fixed in order to continue with the implementation of this feature.

carma12 added the needs-review This PR is waiting on a review label Sep 10, 2024

carma12 requested a review from mreynolds389 September 10, 2024 15:06

carma12 force-pushed the user-groups-members-useridoverrides-2 branch 2 times, most recently from b1325e8 to 440bc38 Compare September 10, 2024 15:10