Andrew Perepelytsya added a comment - 30/May/08 03:03 PM

Andrew Perepelytsya added a comment - 30/May/08 03:03 PM My question is: should we enforce this validation on the backend as well as UI?

Andrew Perepelytsya added a comment - 02/Jun/08 03:32 PM

Andrew Perepelytsya added a comment - 02/Jun/08 03:32 PM Changing to bug and setting priority to Major, as without this fix the repo will be corrupted (nobody could login). Deleting itself should be allowed, IMO, it will be allowed to admin only, and as long as there's another admin user, will be fine.

Mark Griffin added a comment - 02/Jun/08 07:17 PM

Mark Griffin added a comment - 02/Jun/08 07:17 PM okay, but If we allow users to delete themselves than they should be logged out after that action occurs.

Andrew Perepelytsya added a comment - 03/Jun/08 08:24 AM

Andrew Perepelytsya added a comment - 03/Jun/08 08:24 AM Check the Logout link handler in Galaxy class, the same url can be used to logout and kill current user's session.

Mark Griffin added a comment - 03/Jun/08 03:52 PM

Mark Griffin added a comment - 03/Jun/08 03:52 PM Great, here is the plan:

• on user deletion: if user is in admin group, verify there is at least one more user in admin group, or fail.
• on user/group mod, verify another there is at least one other user in the admin group if the admin group is being revoked from a user.
• expire user session after user deletion (even if it's the current user)

Mark Griffin added a comment - 05/Jun/08 08:51 AM

Mark Griffin added a comment - 05/Jun/08 08:51 AM A compromise until the proper API level validation has been done. Since we have a locked uber-group, it makes sense to have a reserved uber-user (ala root); in this case the username is admin. This user can not be removed and must be a member of the Administrators uber-group. Backend handling can hopefully be done in 1.1