Permissions: Accessing content by book URL
From QA of permissions in #974 (closed)
Expected behaviour
Users should only be able to access content in their organization, according to their role. (See user permissions sheet). When we remove a user from the organisation, they should no longer have access to the books inside that organisation, even when visiting the URL directly.
User should see something like the following in the UI:
You do not have permission to access this page. Please contact a BCMS System Admin if you require access.
Current behaviour
-
Removing Sys Admins
If at some point we change access for a sys admin (by removing their sys admin role). If this user has created books and has the links about those books, it can still access everything with those books and do actions there. Also this user still stays as a editor on team modal of it's created books, after being removed from the role of sysadmin. -
Removing Org Admins
Same issue as above. They can still access the books they created. - Removing Editor role Same issue as above. When you remove the role as editor to a user from the users org tab. They still can see books that they created. Also the user is not removed access from the book where it is added from team modal or team tab of a book component. -- **Issue confirmed with Stacy on 4 May 2022).
(If given a correct book link after your Org access has been removed, you can still access the book manager page and make changes to book settings, metadata and team.)
Steps to reproduce
Case 1: SysAdmin role
- Create a new user
- From main dashboard of all users tab, add the role of sysadmin to the user
- Login as this new user
- Create a book (save the link of the book after is created)
- Login as the admin and remove the role of sys admin from this user. Now this is left as a user with no role.
- Login as a user you created. On main dashboard, you will see the message that you are not assigned to any organization
- While staying logged in, visit the book link from step 4. You will be able to access it, because the user is automatically added as an editor of the book.
Case 2: OrgAdmin role
- Create a new user
- Login as the new user and request access to an organization
- Login as admin, and go to this organization users tab and accept the request. Also assign the role 'Org Admin'.
- Login as the new user, which now has the role of org admin on the organization
- Create a book (save the link of the created book)
- Login in as the admin, go to the organization users tab again and remove the role of org admin from the user.
- Login again as this new user, which now has no role. They can view the organization main page however but not the content.
- Click the link you saved from step 5. The user can still access this book and it's still part of the book team as an editor.
Case 3: Editor role
- Create a new user
- Login as the new user and request access to an organization
- Login as admin, and go to this organization users tab and accept the request. Also assign the role 'Editor'.
- Login as the new user, which now has the role of Editor on the organization
- Create a book (save the link of the created book)
- Login in as the admin, go to the organization users tab again and remove the role of editor from the user.
- Login again as this new user, which now has no role. They can view the organization main page however but not the content.
- Click the link you saved from step 5. The user can still access this book and it's still part of the book team as an editor.
Note that also for the Editor role, there is another case, if in step 5 instead of creating a book. You add the user as an Editor on a book team.
When you remove this role from the organization users tab, the user will still be at the teams for the books you have added them and still access if they have the url. You will have to remove the users from the book team modal, for them to not be able to access the books.
Environment
[Provide browser name and version and if you're working from a PC or Mac]
Possible solution
[Not required. Suggest a fix for the bug]
Priority
[Select "Y" for the relevant priority and provide an explanation]
- Resolving this bug is required for migration (Y/N)
- This can be prioritised after migration (Y/N)