upcoming: [M3-7413] - Update existing user account endpoints and mocks for Parent/Child Account Switching #9942
Conversation
| ssh_keys: string[]; | ||
| tfa_enabled: boolean; | ||
| username: string; | ||
| user_type: UserType | null; |
There was a problem hiding this comment.
This is the new user_type field. All of the other changes in the User interface were just reordering.
| @@ -169,6 +172,7 @@ export type GlobalGrantTypes = | |||
| | 'add_longview' | |||
| | 'longview_subscription' | |||
| | 'account_access' | |||
| | 'child_account_access' | |||
There was a problem hiding this comment.
This is the new child_account_access grant that returns true for all admin parent accounts and any additional parent accounts that the admin parent grants permission to access the child accounts.
There was a problem hiding this comment.
Not that I am very privy to this architecture, but I was expecting an array of child accounts the parent has access to instead of just a boolean. I know it's handled in another way but just putting this thought out there for posterity.
There was a problem hiding this comment.
The array of child accounts will be returned by a new API endpoint, GET /account/child-accounts! This boolean is a new global grant that allows an unrestricted parent account to decide whether or not any other users associated with that parent account (i.e. non-admin, potentially restricted parent account users) will also have access to the data returned in GET /account/child-accounts.
| return res(ctx.json(profileFactory.build())); | ||
| return res(ctx.json(accountUserFactory.build())); |
There was a problem hiding this comment.
This was an existing bug... The mock request to*/account/users/:user was returning profile instead of account data.
| add_domains: false, | ||
| add_firewalls: false, | ||
| add_images: false, | ||
| add_linodes: false, | ||
| add_longview: false, | ||
| add_nodebalancers: false, | ||
| add_stackscripts: false, | ||
| add_volumes: false, | ||
| add_vpcs: false, | ||
| cancel_account: false, |
There was a problem hiding this comment.
Proxy accounts have read only permissions by default and cannot be canceled.
| ctx.json( | ||
| grantsFactory.build({ | ||
| global: { | ||
| cancel_account: false, |
There was a problem hiding this comment.
Child accounts cannot be canceled while they have a user_type of "child".
| cancel_account: false, | ||
| child_account_access: true, |
There was a problem hiding this comment.
Parent accounts cannot be canceled while they have a user_type of "parent". This "admin" parent account has default child_account_access granted.
mjac0bs
requested review from
jdamore-linode,
dwiley-akamai and
jaalah-akamai
and removed request for
a team
There was a problem hiding this comment.
Tested locally and confirmed scenari outlined in PR description
- payload of GET /account/users and verify the user_type field is present and accurate with parent/child/proxy accounts and null in all other cases.
- ParentUser's permissions page returns
child_account_accessset to true. In all other cases, it should be false. - other users verify that GET /account/users/ returns the expected value for user_type in the payload.
| @@ -169,6 +172,7 @@ export type GlobalGrantTypes = | |||
| | 'add_longview' | |||
| | 'longview_subscription' | |||
| | 'account_access' | |||
| | 'child_account_access' | |||
There was a problem hiding this comment.
Not that I am very privy to this architecture, but I was expecting an array of child accounts the parent has access to instead of just a boolean. I know it's handled in another way but just putting this thought out there for posterity.
Description 📝
GET /account/usersandGET /account/users/<username>requests will return a newuser_typefield to allow us to distinguish between users.GET /account/users/<username>/grantswill return a new grant type:child_account_access, which will be true for parent accounts with access to child account endpoints.These additions to existing endpoints set us up to implement account switching and user permissions flows.
Changes 🔄
Userinterface and factory to include the newuser_typefieldAccountinterface andGrantfactory to include the newchild_account_accessfieldaccount/usersendpoint to include a child, parent, and proxy userPreview 📷
GET /account/usersGET /account/users/<username>GET /account/users/<username>/grantsHow to test 🧪
Prerequisites
(How to setup test environment)
yarn up.Verification steps
(How to verify changes)
GET /account/usersand verify theuser_typefield is present and accurate with parent/child/proxy accounts andnullin all other cases.GET /account/users/<username>/grantsreturnschild_account_accessset totrue. In all other cases, it should befalse.GET /account/users/<username>returns the expected value foruser_typein the payload.As an Author I have considered 🤔
Check all that apply