Comment 4 for bug 1252341
Revision history for this message
| Facundo Maldonado (facundo-n-maldonado) wrote | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Partial fix for this bug was submitted to review in Keystone.
For Horizon, I need some help deciding how to proceed.
When a role is removed from a project, if the user is logged
in that project we have some issues:
1- the user has two roles in a project (admin and member, not current prj)
and member role is removed --> solved with keystone fix in patch 1
2- the user has admin role in two projects, remove from admin role from a project (not current project)
--> solved with keystone patch
3- the user has at least two roles in a project (admin and member, current project)
and member is removed --> token is removed in keystone.
Three options here:
a- force the user to logout (like change password)
I don't like this option because if the user is changing the grants of various users
it will be interrupted when the current user is selected to update.
Changes for other users will be discarded.
b- Prevent to remove current user's roles and display a warning message.
Don't seems to be solution, the current admin user can add roles but can't remove.
c- Regenerate the token after removing the role assignment.
I think this is the best option. No clue where to start. Not sure if a similar situation
as solution a can take place.