Conversation
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
webapp/config/packages/security.yaml Outdated
| @@ -3,10 +3,10 @@ | |||
| security: | |||
| role_hierarchy: | |||
| ROLE_JURY: [ROLE_CLARIFICATION_RW, ROLE_API, ROLE_API_READER, ROLE_API_SOURCE_READER] | |||
| ROLE_ADMIN: [ROLE_JURY, ROLE_JUDGEHOST, ROLE_API_WRITER] | |||
| ROLE_ADMIN: [ROLE_JURY, ROLE_JUDGEHOST, ROLE_API_WRITER, | |||
| ROLE_API_PROBLEM_CHANGE, ROLE_API_CONTEST_CHANGE] | |||
There was a problem hiding this comment.
I think editor would be a better suffix than change. Also, is ROLE_API_CONTEST_CHANGE a superset of privileges over ROLE_API_PROBLEM_CHANGE?
There was a problem hiding this comment.
No, a contest is a different thing from a problem as we allow problems without a contest.
| final class Version20240629154640 extends AbstractMigration | ||
| { | ||
| private const NEW_ROLES = ['api_problem_change' => 'API Problem Changer', | ||
| 'api_contest_change' => 'API Contest Changer']; |
There was a problem hiding this comment.
Could we have some more detailed descriptions of these roles? How do admin/API writer, contest changer and problem changer relate?
This is for an usecase like EUC where there is an Ad-Hoc group which doesn't know each other yet (or even the system). The responsibility for the upload of the problems lies with one team which does not want admin access to make sure nothing gets broken. The same for changing the contest as BAPCtools does for example. Also extended the tests for admin access to now also check for the new roles while making sure admin also keeps the rights by transitivity.
b78b35b to 80d5b5e Compare | public function getDescription(): string | ||
| { | ||
| return "Add new roles to the database. | ||
| Problem editor can add/delete/edit anything related to problems; files, testcases. |
There was a problem hiding this comment.
I don't think any (end) user will read this and I think @eldering his feedback is that people now don't know what the roles do without checking the code.
There was a problem hiding this comment.
Exactly. What the roles do should ideally be clear from the role constant names, but at least from the role descriptions .
Two questions:
If the answer is no to both of these questions, then one role |
I think BAPCtools also wants to set the contest, and the judges of EUC wanted to only import the problems and nothing else? I'm fine with merging them as its already better than admin and we can always decide to split them later if there is a real usecase.
It was for me, I rather not also have to do this in code and if you have the zips already you can also just give them to an admin. I think is is only relevant for automated tools and during the contest I wouldn't want jury members to be able to change things which they might not be aware what are the differences (testcase order etc.). So its both laziness for the amount of code changed and only giving the rights which are needed. The same distinction was made for locking a contest. |
We had this request both during EUC and this would help during next BAPC prelims where we probably ask a BAPC jury member to upload the problems already.
For the 2nd case I would personally trust that person with
adminaccess but others might see that differently. Also only giving the needed access is always a good thing and given that this is easy to test I don't think this would be a real feature creep.