It may be a corner case, but if someone has a workflow that requires a non-admin (but hopefully trusted user) to set an arbitrary location the current patch would prevent that.
Could we do something like have a new policy that would cover that case, eg:
"set_unrestricted_location": "role:whoever"
That would give us three policy defined sets:
1. Users that can't set locations at all
2. Users that can set locations to allowed values only
3. Users that can set location to any value
If I'm reading the patch correctly, we're hardcoding that only an admin can set arbitrary locations:
if not(req. context. is_admin or utils.validate_ external_ url
Previously it was possible to use the policy file to give permissions to just specific roles/users to set arbitrary locations, eg:
policy.json: image_location" : "role:whoever",
"set_
It may be a corner case, but if someone has a workflow that requires a non-admin (but hopefully trusted user) to set an arbitrary location the current patch would prevent that.
Could we do something like have a new policy that would cover that case, eg:
"set_unrestric ted_location" : "role:whoever"
That would give us three policy defined sets:
1. Users that can't set locations at all
2. Users that can set locations to allowed values only
3. Users that can set location to any value