“private album" option is not working correctly, admin users can see all albums #70

New Issue

aheathershaw · 2018-07-28T23:29:56+01:00

aheathershaw commented

2018-07-28 23:29:56 +01:00

Selecting it should make an album private, so only the user that created has access to it. Actually all admin users have access to it.
Admin users should not have access to private albums, only to app configuration screens.

[LNT00](https://github.com/LNT00): Selecting it should make an album private, so only the user that created has access to it. Actually all admin users have access to it. Admin users should not have access to private albums, only to app configuration screens.

aheathershaw self-assigned this 2018-07-28 23:29:56 +01:00

aheathershaw added the

invalid

label 2018-07-28 23:29:56 +01:00

aheathershaw commented

2018-07-28 23:30:14 +01:00

![](/attachments/bff946f9-80a1-45e0-9bc1-08abb88567e6)

185BDEEC-2104-41FF-BDBA-B597AAFE887B.jpeg

93 KiB

aheathershaw commented

2018-07-28 23:30:51 +01:00

Can I clarify some terminology here - an admin user and a user who can access the config screens are two different things.

An admin user is someone who you have ticked the “user is an administrator” option against their profile. Admin users bypass ALL security checks. By making someone an administrator, you are telling the system they can see and do anything.

To give people access to the config screens, you create a user group (eg. Admin Users), assign permissions to the group and add the relevant users to the group. You can be granular with permissions so you can say some people can add albums but not manage users. That’s exactly how I’ve set up the demo system so the demo user cannot change the config but can create albums to see the functionality of the app.

The “private album” option does not assign any default permissions to the album so that it is only accessible by the owner unless you tell it otherwise - either with specific permissions (against a user or group) or by an administrator user.

Can I clarify some terminology here - an admin user and a user who can access the config screens are two different things. An admin user is someone who you have ticked the “user is an administrator” option against their profile. Admin users bypass ALL security checks. By making someone an administrator, you are telling the system they can see and do anything. To give people access to the config screens, you create a user group (eg. Admin Users), assign permissions to the group and add the relevant users to the group. You can be granular with permissions so you can say some people can add albums but not manage users. That’s exactly how I’ve set up the demo system so the demo user cannot change the config but can create albums to see the functionality of the app. The “private album” option does not assign any default permissions to the album so that it is only accessible by the owner unless you tell it otherwise - either with specific permissions (against a user or group) or by an administrator user.

aheathershaw commented

2018-07-28 23:31:17 +01:00

LNT00:

Yes, it's working correctly as you described.

[LNT00](https://github.com/LNT00): Yes, it's working correctly as you described.

aheathershaw commented

2018-07-28 23:31:36 +01:00

Migrated from https://github.com/andysh-uk/blue-twilight/issues/70

aheathershaw closed this issue

2018-07-28 23:31:38 +01:00

Sign in to join this conversation.