Discussion:
User rights to only edit domain aliases in WAP
Tobias Brunner
2016-10-04 20:43:04 UTC
Permalink
Hi Kolabians,

I'd like to allow a user to only edit domain aliases in WAP but not add
or remove (deactivate) a domain. Experiments with LDAP ACLs didn't help
here, it looks like WAP doesn't support this use case. How do others see
this?

Searching the code reveals that the API only supports "entryLevelRights"
and not "attributeLevelRights":
https://git.kolab.org/diffusion/WAP/browse/master/lib/api/kolab_api_service_domains.php.
Do I interpret this correctly?

Are there any possibilities to hide the "Add Domain" link at the top
right in WAP?

Cheers,
Tobias
Tobias Brunner
2016-10-05 07:24:35 UTC
Permalink
Post by Tobias Brunner
I'd like to allow a user to only edit domain aliases in WAP but not add
or remove (deactivate) a domain. Experiments with LDAP ACLs didn't help
here, it looks like WAP doesn't support this use case. How do others see
this?
Searching the code reveals that the API only supports "entryLevelRights"
https://git.kolab.org/diffusion/WAP/browse/master/lib/api/kolab_api_service_domains.php.
Do I interpret this correctly?
Yes, the only way is to remove "Add" permission from entryLevelRights.
The code is in kolab_api_service_domain.php. Note that capabilities are
cached in session, so to see a change you have to re-login or enable
devel_mode.
Does that mean I would have to change that directly in the code? Or can
I do that using some configuration options?

Cheers,
Tobias

Loading...