[Group Roles] Role Assignment Fails When the Assigner's Role is Ranked Below the Assignee's Role
tracked
owlboy
Not only is this confusing, and unexpected behavior, but the website does not prevent attempting to assign roles that are un-assignable.
Please see the screenshots for clear details!
Thanks!
Log In
unexcept
As a bit of a follow up, while previously marked tracked, this has now been moved to a more appropriate backlog, but when picked up will mostly be a task about making the UI clearer.
What you're hitting is functionality as intended. But let me clarify that!
Every role has an implied rank based on their order. Owner is
0
and they go up from there. The lower the number the higher the rank. Members have an implied rank based on the roles they have assigned (or max_roles + 1 if no roles assigned). These ranks are not stored against the membership, nor do we ever expose or return them to users, and they are entirely dynamic based on a given user's roles.Those implied ranks are used when deciding if you can act on another member, or if you can edit a role.
If you have the permission to manage members or assign roles, you can only manage members of a rank lower than yours, and only assign roles of a rank lower than yours. Ranks also mean you can't kick/ban anyone of the same rank or higher even with the permissions to do so.
The same applies If you have the permission to create/manage roles, you cannot edit a role of a rank the same as yours or higher.
The UI should reflect this, but currently does not. If the target member is the same or higher rank, the UI should grey out and show a warning. It should also hide or grey out roles which are of the same or higher rank even if you can manage that member.
We're sorry that this is confusing! Permissions systems are hard and we've tried to pack a lot of interesting ways to use this system, but are not doing a good job conveying that to users.
unexcept
Merged in a post:
Error when editing same/higher rank user from search members results
Patroll
Scenario
I'm in a group (grp_680d2e7e-e34f-41cb-a424-cb3a074f5216) and have the following permissions:
"group-instance-join"
"group-instance-plus-portal"
"group-members-manage"
"group-members-viewall"
I believe that "group-members-manage" permission allows you to edit group notes about users.
Error
Browsing Members tab in the group correctly doesn't show an edit button next to users of the same or higher rank
(screenshot #3)
. This is not the case if you use the Search Group Members function - an edit button shows up next to member results (with the same or higher rank than you)
(screenshot #2)
that opens "Managing <username>" modal with Notes field. Trying to edit the note fails silently with the response error code of 403 Forbidden ({message: "You're not allowed to change a member of the same or higher rank․", status_code: 403}) (screenshot #1)
.Solution
Don't show edit button next to users in member search results that are of the same or higher rank (just like in Members tab).
unexcept
As a bit of a follow up, while previously marked tracked, this has now been moved to a more appropriate backlog, but when picked up will mostly be a task about making the UI clearer.
What you're hitting is functionality as intended. But let me clarify that!
Every role has an implied rank based on their order. Owner is
0
and they go up from there. The lower the number the higher the rank. Members have an implied rank based on the roles they have assigned (or max_roles + 1 if no roles assigned). These ranks are not stored against the membership, nor do we ever expose or return them to users, and they are entirely dynamic based on a given user's roles.Those implied ranks are used when deciding if you can act on another member, or if you can edit a role.
If you have the permission to manage members or assign roles, you can only manage members of a rank lower than yours, and only assign roles of a rank lower than yours. Ranks also mean you can't kick/ban anyone of the same rank or higher even with the permissions to do so.
The same applies If you have the permission to create/manage roles, you cannot edit a role of a rank the same as yours or higher.
The UI should reflect this, but currently does not. If the target member is the same or higher rank, the UI should grey out and show a warning. It should also hide or grey out roles which are of the same or higher rank even if you can manage that member.
We're sorry that this is confusing! Permissions systems are hard and we've tried to pack a lot of interesting ways to use this system, but are not doing a good job conveying that to users.
owlboy
unexcept Thanks for the details!
StormRel
tracked