[STORY] as a user I want blocked fields in the user/host profile section to be greyed out, to prevent me from making mistakes

observation

When a user who is member of the host/host+ permission group logs into Dashboard's "my account" section, there are lots of fields that are blocked for editing and return a save-state-error & "permission denied" message upon editing them. The image uploader in the "host profile" section accepts an input and only after completing the full image upload dialog, returns a save-state error. This behaviour is confusing for users and can result in misunderstandings.

workflow to reproduce

• log in to dashboard.aura.radio with a user who has host/+ group rights
• open the "my account" section
• try editing fields

expectance horizon

the entry fields blocked for edit should be visible but greyed out. if the image uploader is blocked by permission, it shouldn't offer the upload UI dialog.

changed milestone to %1.0-alpha5 — Capable Capybara

added Cycle [4/24] P2 STORY To Do labels

assigned to @kmohrf

marked this issue as related to steering#227 (closed)

mentioned in issue steering#227 (closed)

added Doing label and removed To Do label

added ready-for-testing label and removed Doing label

mentioned in commit b96bccb1

a super quick test on dashboard.aura shows that on the "profiles" section, all fields are greyed out as expected, but not in the menu that is accessible via the "hamburger-button" aka user account section (is this the correct name for that? :) ) can you check please?

removed ready-for-testing label

added To Do label

I’ve checked. I logged in with a user that has the Host+ rules. This user has the following permissions (among others):

program.change_profile
program.edit__profile__biography
program.edit__profile__email
program.edit__profile__image
program.edit__profile__links
program.edit__profile__name

This is why the fields can be edited. Looking at the ProfileSerializer in steering it seems like there are still left-over host permissions that are checked. That seems wrong. @eigenwijsje can you fix that?

Sorry for this.

Fix is going working its way trough the pipeline right now.

Logging in with a host user, when I open my user account page, I can see that in the "Profile" section fields are all blocked/greyed correctly, but not in the upper (CBA-Profile) section (editing is not allowed but fields are not blocked). See here:

..so maybe there are still some wrong-going name checks around in the permissions? sorry for that.

To keep the names straight:

• Benutzername, Vorname and Nachname are user account properties
• CBA Kontoname & Token are CBA properties
• the section below are profiles (what used to be hosts)

Every user should be able self-manage their fore and surname. I suppose the user/role is missing the permission that is labelled auth | user | Can change user in steering.

I added the permissions according to https://docs.aura.radio/en/latest/user/admin/roles-and-permissions.html#field-permissions-overview

There, only Program Managers are allowed to edit email, first_name and last_name properties of an User.

If we really want to allow user to edit some of their fields, this can be done, but It would require adding default change_user permissions to every user and define and add custom permissions for each of the editable fields.

ah ok, lost in translation & lost in permission... transmission... eh whatever

We are assuming the user account info (username, name, surname, email) is static info which should not be edited a lot (thus no field-level permissions here). CBA credentials as well. Since the "profile" (formerly host) section possibly is also information which could go public on a website, it may be edited more often and also has field-level permissions. For now let's keep things simple

what I meant is: can we block the fields for:

• user account properties
• CBA account & token

@kmohrf ? if this is not possible due to whatever, let's keep it as-is for now.

for testing: which would be the exact permissions that have to be assigned? I posted an overview of all given permissions for all groups on dashboard.aura right now on: steering#236 (closed)

ah, another language correction: I did not mean blocking (the fields are already blocked correctly), but I meant that all fields that are blocked should also be greyed out, so users do not mistakenly try to edit stuff that cannot be edited. Sorry for the unclear terminology

I can just deactivate these fields though I think it’s kind of weird that user’s can’t even update their own name.

@eigenwijsje it would be nice if steering would expose the permissions from the auth module. Then I can check the auth.change_user permission in the dashboard.

Nevermind, you already did that.

final test on dashboard.aura and now we're there thanks a lot!!

added Blocked label and removed To Do label

added ready-for-testing label and removed Blocked label

removed ready-for-testing label

added To Do label

mentioned in commit 4468eed5

added ready-for-testing label and removed To Do label

removed ready-for-testing label

closed