Max allowed rights for OIDC users (initial mode only) #989
Description
When connecting Izanami to an external auhtentication provider, it's possible to set users initial rights based on their roles.
However this is just an initial configuratuion, users rights can be modified in any way after this initial right assignation.
For security reasons, it would be nice to be able to define "maximum rights" for each roles, for instance to ensure that a user with a low right role can't become admin of Izanami instance.
TODO
MUST
- Max rights must be configurable through env variable / config file or through UI (as for other OIDC configuration, configuration through UI should NOT be possible when configured with env variable / config file).
- When an external user logs in, its roles should be checked to ensure that its rights are not above max rights. If user has more right than allowed by max rights, its right should be reduced.
- When updating a user rights, Izanami should ensure that new rights for users are not above max rights.
-
When updating max rights configuration, Izanami should check for logged in users to reduce their rights immediatly if needed. - When updating max rights configuration, impacted users should be logged out
- Rights for impacted users should be updated at their next login, in the meantime Izanami should display their right using both their old rights AND max right configuration
- When default rights and max rights are in conflict (default rights are above max rights) max rights should be applied
- Update default users rights on login
SHOULD
- A popup should also give all information on right update failure
- When right are reduced for a user at login, a popup should inform him, explaining what has changed and why
- Check on max rights for each operation