I finally got around to testing some of the roles added in #1403208: Add additional roles, only to discover that they aren't all that useful as currently implemented.

The 'aegir administrator' role requires:

  • access administration menu
  • administer platforms
  • administer servers
  • access content
  • view revisions
  • administer hosting aliases
  • create site aliases
  • edit all quotas
  • view all quotas
  • view own quota
  • access hosting signup form
  • administer ssl
  • access user profiles

The 'aegir account manager' role requires the following:

  • administer clients
  • access content
  • access user profiles
  • edit all quotas
  • view all quotas
  • view own quota
  • edit client uname

The 'aegir client' role requires the following:

  • view own quota
  • create site aliases
  • create verify task
  • create clone task
  • create migrate task
  • administer ssl

The 'aegir platform manager' role requires the following:

  • view package
  • administer platforms
  • cancel own tasks
  • view own tasks
  • access content
  • view own tasks
  • view task
  • administer sites
  • create verify task
  • retry failed tasks

Comments

ergonlogic’s picture

Status: Active » Needs review

Pushed in hostmaster in 8aa500b, and the hook_update in hosting in 97ca920.

Setting to 'needs review' to get some eyes on it from other maintainers.

ergonlogic’s picture

missed the 'access task logs' permission for 'aegir client' role. Fixed in 519485c and 1d34fa5.

ergonlogic’s picture

missed 'administer clients' for 'platform manager' role, so they can manage platform access control. Fixed in 377a9b7 and 7638442.

ergonlogic’s picture

missed 'view package' for 'aegir client' role. Fixed in 1e1b6e7 and a84bfdf.

ergonlogic’s picture

missed 'administer tasks' for platform manager to be able to view tasks.

'view platform', 'view revisions' and 'edit site' for clients.

'update status of tasks' for aegir administrator

'view_site' for account managers.

I believe our roles now provide useful feature sets.

ergonlogic’s picture

anarcat’s picture

what needs to be reviewed here?

it seems all very shiny, go. :)

anarcat’s picture

wait, why does the client need administer ssl?

ergonlogic’s picture

re. #8, I believe they cannot enable SSL on a site without it.

anarcat’s picture

that sounds wrong - administer ssl, in my mind, involves a lot more... but maybe we just need to fix SSL permissions in another issue (e.g. #537022: domain-restricted certificates).

ergonlogic’s picture

Well, all that the 'administer ssl' permission does is control access to the SSL form elements on the site form. Maybe we just need to rename the permission for now, and add back an 'administer ssl' perm if/when appropriate.

anarcat’s picture

Sounds more appropriate - something like 'create ssl certificate'?

ergonlogic’s picture

Status: Needs review » Fixed

Fixed #12 in 969fced in hosting and b5fd23b in hostmaster.

Fixed #5 in 0af8e26 in hosting and baa6d77 in hostmaster

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

  • Commit 8aa500b on 6.x-2.x, 7.x-3.x, dev-helmo-3.x by ergonlogic:
    Issue #2031491: Add permissions to roles.
    
  • Commit b5fd23b on 6.x-2.x, 7.x-3.x, dev-helmo-3.x by ergonlogic:
    Issue #2031491: Rename SSL permission to be more descriptive.
    
  • Commit baa6d77 on 6.x-2.x, 7.x-3.x, dev-helmo-3.x by ergonlogic:
    Issue #2031491: Fix roles.
    

  • Commit 8aa500b on 6.x-2.x, 7.x-3.x, dev-helmo-3.x by ergonlogic:
    Issue #2031491: Add permissions to roles.
    
  • Commit b5fd23b on 6.x-2.x, 7.x-3.x, dev-helmo-3.x by ergonlogic:
    Issue #2031491: Rename SSL permission to be more descriptive.
    
  • Commit baa6d77 on 6.x-2.x, 7.x-3.x, dev-helmo-3.x by ergonlogic:
    Issue #2031491: Fix roles.