Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change default of auth.roles.editor to ROLE_USER (allowing everyone to use the editor) #1203

Open
LukasKalbertodt opened this issue Jul 9, 2024 · 3 comments
Labels
area:auth Authentication and Authorization changelog:breaking Breaking changes kind:improvement next-breaking-change Things that should be released with the next breaking-change release status:blocked Blocked by something else

Comments

@LukasKalbertodt
Copy link
Member

The editor button is only shown for events that the user has write access to. So unlike the permissions for Studio and the uploader, there are other pre-conditions and generally, the risk of users abusing this power is a lot lower. Again: they had to be given write access to an event first.

There are very few reasons to disable the editor for users. For example, if there are custom workflows that don't work with the editor, or if users are supposed to use some other software for editing videos. On the other hand, having the editor button not show up for users with write access to a video can cause lots of confusion. So I think changing the default is a good idea.

Unfortunately, there is still one main reason to disable the editor: #600. So this issue is blocked by #600 and we should only change the default once we can make sure the auth works all the time.

@LukasKalbertodt LukasKalbertodt added kind:improvement status:blocked Blocked by something else area:auth Authentication and Authorization labels Jul 9, 2024
@oas777
Copy link
Collaborator

oas777 commented Jul 9, 2024

Quick question mainly for my understanding: This would allow everyone to see (and use) the editor

  • for videos they have been given write-access to and/or
  • their own videos (if they own the global right to upload).

Correct?

@LukasKalbertodt
Copy link
Member Author

Yes, but the second point is redundant as users have write-access to their own videos. (At least unless taken away somehow, but that's super rare). So the statement can be shortened to: "This would allow everyone to see (and use) the editor for videos they have write-access to."

@LukasKalbertodt LukasKalbertodt added the changelog:breaking Breaking changes label Aug 7, 2024
@LukasKalbertodt LukasKalbertodt added the next-breaking-change Things that should be released with the next breaking-change release label Nov 4, 2024
@LukasKalbertodt LukasKalbertodt added this to the v3.0 milestone Nov 13, 2024
@LukasKalbertodt
Copy link
Member Author

Not doing this in 3.0 as we are still waiting for #600

@LukasKalbertodt LukasKalbertodt removed this from the v3.0 milestone Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area:auth Authentication and Authorization changelog:breaking Breaking changes kind:improvement next-breaking-change Things that should be released with the next breaking-change release status:blocked Blocked by something else
Projects
None yet
Development

No branches or pull requests

2 participants