Feature Proposal: Implement the UI suggested by Crawford in the AddFurtherControlsOnSudo proposal

Motivation

Makes need to be a member of the AdminGroup much less likely, and is a much better solution than sudo.,

Description and Documentation

• Add System.WebLeftBarAdminStatus - can be included in a Left Bar topic to install Add/Remove buttons.
• Add redirectto to the Manage.pm addUserToGroup and removeUserFromGroup functions

Note that in reviewing the CGI docs to determine if a feature proposal is required for redirectto, manage action=saveSettings claims to support redirectto but is instead hardcoded to redirect to the current topic.

Examples

%STARTSECTION{"ADD"}%
%IF{"'Main.AdminGroup' allows 'CHANGE'" then="
<form action='%SCRIPTURLPATH{"manage"}%/%WEB%/%TOPIC%' method='post'> 
<input type='hidden' name='groupname' value='AdminGroup'/> 
<input type='hidden' name='action' value='addUserToGroup'/>
<input type='hidden' name='redirectto' value='%BASEWEB%.%BASETOPIC%'/>
<input type='hidden' name='username' value='%WIKINAME%' />
%BUTTON{"%MAKETEXT{"Become Admin"}%" icon="add" type="submit"}%
     %CLEAR%
</form>
"}%
%ENDSECTION{"ADD"}%

%STARTSECTION{"DEL"}%
<form action='%SCRIPTURLPATH{"manage"}%/%WEB%/%TOPIC%' method='post'> 
<input type='hidden' name='groupname' value='AdminGroup'/> 
<input type='hidden' name='redirectto' value='%BASEWEB%.%BASETOPIC%'/>
<input type='hidden' name='action' value='removeUserFromGroup'/>
<input type='hidden' name='username' value='%WIKINAME%' />
%BUTTON{"%MAKETEXT{"<b>Remove Admin</b>"}%" icon="delete" class="red" type="submit"}%
     %CLEAR%
</form>
%ENDSECTION{"DEL"}%



%STARTINCLUDE%
%IF{
   "$USERNAME ingroup 'AdminGroup'"
      then="%INCLUDE{"%TOPIC%" section="DEL"}%"
      else="%INCLUDE{"%TOPIC%" section="ADD"}%"
}%
%STOPINCLUDE%

Active example

If you are in the AdminGroup, or are allowed to change the AdminGroup topic, then a button will appear here to either add you or remove you from the group.

Note that without the redirectto parameter, using the button will send you to an Oops page confirming the change. (I'd really like to pull this into our 1.1.5 security release!)

Impact

WhatDoesItAffect:

%WHATDOESITAFFECT%

edit

Implementation

-- Contributors: GeorgeClark - 25 Feb 2012

Discussion

The suggested topic name - System.WebLeftBarAdminStatus isn't the greatest. AdminButton? MakeMeAdmin? AdminControl?

-- GeorgeClark - 25 Feb 2012

Perhaps AdminSwitch or AdminToggle.

-- ArthurClemens - 25 Feb 2012

FWIW I regard any non-standard interpretation of redirectto as a bug.

-- CrawfordCurrie - 26 Feb 2012

I've implemented the redirectto as a bug-fix on Item11579. That was the main reason I made this a feature request. It doesn't seem to me that adding a small example topic rises to the level of needing a feature request. I'll wait a bit longer, but unless objections arise, I'll plan to add into 1.1.5:

• A topic - AdminToggle - which documents the feature and can be %INCLUDED into a LeftBar.
• And add some documentation to the AdminGroup topic to make the solution more obvious for new installations.

-- GeorgeClark - 27 Feb 2012

All I can say is "beware of feature creep". This really should not be going out in a patch, but it is extremely low risk so I can't protesteth too much.

-- CrawfordCurrie - 28 Feb 2012

I hone my rationalization skills. ...This really is just an added example topic that takes advantage of a feature in 1.1 that was implemented ages ago by SvenDowideit, but was never really understood by the rest of us.Does that work?

-- GeorgeClark - 28 Feb 2012

"Never really understood" is generous. "Not even noticed" is probably closer to the mark

-- CrawfordCurrie - 28 Feb 2012

Rather than a separate topic .. .or maybe in addition to a separate topic. Should we have a "Add Me" button rendered on every *Group topic where the current user has change authority? Or call it "Join this group" ?

-- GeorgeClark - 19 Mar 2012

neat technical solution to the user rights promotion portion of the sudo feature.

but users of ACL's need a level of comfort, to know that the random user that suddenly viewed or edited their secure web actually had rights to do so.

having a dynamic admin group can (and has previously) lead to fears that the ACL system can't be trusted, so we need to make admin group membership be more obvious.

my suggestion is have admin group membership modify the cuid that is recorded: for eg admin(mapping_1234), so that all topic info's can show SvenDowideit (admin).

(this is also why i implemented sudo as a login stack - so that you don't have the fear that resulted in our ACL system breaking in the early years of twiki.)

better accountability is great - unless that accountability means normal users can't confirm the admin membership at the time easily.

-- SvenDowideit - 03 Jun 2012

I somewhat agree. But the 14 day clock has long since expired on this, and the work is already merged to core. (committed on April 17th). All that was left was some cleanup of documentation.

I'm still a bit confused. We made it a bit easier to join and leave the admin group, but even today this exact behavior can be done just by using Edit Topic.

• Edit AdminGroup to become a member (assuming that you have authorization)
• Do something
• Edit AdminGroup remove yourself.

If done within the "minor revision" horizon, it will appear in the AdminGroup history that you were never a member. And JoeUser shows up in logs or rev. history without any indication that they were ever an admin.

I'm a bit concerned about modifying the cUID to flag that the ID had admin stats at the time of use. I suspect it would break other mappers, as all mappers would have to know to reverse out the admin flag.

-- GeorgeClark - 03 Jun 2012

The issue for the first time admin is not making it easy to add himself to the admin group.

The issue is that he does not know he has to add himself to the admin group. He does not know that such thing exists.

I have always said that adding the initial user and making him an admin should be an installation step in configure.

Configure should guide you through the installation steps and one should be defining the first user and adding him/her to the admin group.

-- KennethLavrsen - 03 Jun 2012

George - I think that the end mappers don't need to know about the admin flag. IF all requests come via the Foswiki::User API, then that API could (i think) strip out the admin flag, and then pass the remainder to the mapper.

sorry about the tromping on a finished feature - i never relaised the original was rejected so suddenly, and without addressing the important need to make sure the end users don't get scared. -- SvenDowideit - 03 Jun 2012