Org "Editor" can change Org user permissions and give themself access as Org admin, and can remove other Editor's permissions
cc @DioneMentis
Expected behaviour
Editors and Org admins should be able to assign roles, but with some limits to their ability to assign roles to others and themselves (for example an Editor shouldn't be able to assign themselves the role of Org admin or remove another editor from the project). Refer to the role permissions sheet to correctly develop the exact permissions that should be allowed for all the various roles (note some roles such as 'Author' and 'Previewer' are still in development/pending development).
Current behaviour
My user named Christina Testing with username CTTesting requested access to CT org 2022-03-11-13-24 and was added as an editor to CT org 2022-03-11-13-24 by username 'admin'. CTTesting was then able on this page to select their own name and add themselves as an Org admin and then see all Org admin pages.
Steps to reproduce
Example here, when logged in as Editor only: https://ncbidev.cloud68.co/organizations/21cdab60-d43f-4d9b-8480-694940cda0e7
- Log in as a user with editor access to an organisation OR request editor access to an organisation from a user account which doesn't have Org admin access yet,
- Accept that access request and assign Editor role from the admin account
- In the Org Editor account, go to the Org Users tab and select your own Editor name, and assign it an Org admin role and save
- Notice that you now have Org admin access and can see pages restricted to Org admins
Environment
[Provide browser name and version and if you're working from a PC or Mac]
Possible solution
Allow editors to assign editor roles (and author roles, when developed) but not Org admin roles.
NCBI's priority feedback
Y (Has been completed by Coko, assumed to be a priority)
QA Steps
- Create an sysadmin user.
- Create another user and request access to an existing or new org that you have.
- With the
sysadmin account
accept this user request. Check that you can add the role editor, org admin and also disable the account. - Add the role
Editor
to this user. - Login with the
Editors account
and you should see the users tab and your user modal. Confirm that you can't add yourself as an orgadmin from the users modal or bulk actions at the bottom left.
Additonally
- Add a user with org admin role
- Confirm that this user has access to change both toggles for editor and org admin role.