-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Low
-
Component/s: Permissions - Content (Backend/API)
-
None
-
Minor
Issue Summary
When you opt in to RBAC, you can still use the api/v2/spaces/<spaceId>/permissions to get the assigned permissions for a space/page.
The problem is when you assign custom permissions with the options to:
- Delete anyone's comments
- Delete own comment
In the old permission model, we didn't have the "delete own's comment" option, but rather delete one's own data, which included everything. Now, if we select any of the option above, or both, in RBAC, calling the API will return the same response, making it impossible to figure out if we have the permission to delete any comment or just ours.
Steps to Reproduce
- Opt in to RBAC
- Assign the custom permission to a user in a space, and select both options above.
- Call the wiki/api/v2/spaces/<spaceId>/permissions API
Expected Results
We should see two different TargetTypes for the user ex:
"id": "??????",
"principal": {
"type": "user",
"id": "???????"
},
"operation": {
"key": "delete",
"targetType": "comment"
}
},
{
"id": "???????",
"principal": {
"type": "user",
"id": "???????"
},
"operation": {
"key": "delete",
"targetType": "own_comment"
}
},
Actual Results
We see the same entry twice; if there is just one selected, you can't figure out if it's delete all or delete own.
"id": "?????",
"principal": {
"type": "user",
"id": "??????????"
},
"operation": {
"key": "delete",
"targetType": "comment"
}
},
{
"id": "?????",
"principal": {
"type": "user",
"id": "??????????"
},
"operation": {
"key": "delete",
"targetType": "comment"
}
},
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available