Description
If you create a non-permission attribute and assign it to a role, entries get added to the permission views (grouper_perms_all_v,
grouper_perms_role_v, grouper_perms_role_subject_v) that shouldn't be there. For example, if I do the following....
gsh 0% edu = addRootStem("edu", "edu")
stem: name='edu' displayName='edu' uuid='02acfa9694b54aba8e4ac2e8f564fa54'
gsh 1% Group group = edu.addChildGroup("testGroup", "testGroup");
gsh 2% Group group0 = edu.addChildRole("testGroup0", "testGroup0")
gsh 3% group0.addMember(group.toSubject())
gsh 4% AttributeDef attributeDef = edu.addChildAttributeDef("attributeDef", AttributeDefType.attr);
gsh 5% attributeDef.setAssignToGroup(true)
gsh 6% attributeDef.store();
gsh 7% AttributeDefName attributeDefName =
edu.addChildAttributeDefName(attributeDef, "testAttribute", "testAttribute");
gsh 8% AttributeAssign attributeAssign = group0.getAttributeDelegate().assignAttribute(attributeDefName).getAttributeAssign();
... and then look at grouper_perms_all_v, there's a row there.
I'm changing the views to include a check for the attribute def type = 'perm'. I'm also going to prevent updates to attribute def type to make things easier for point in time auditing of permissions. And I'll remove the check for group.type_of_group = 'role' in the views since permissions can only be assigned to roles.