Iqss/8109 separate managefilepermissions #8174
Conversation
…anagefilepermissions
|
@scolapasta I know it's still a draft PR but I'll pre-assign you as I know you are the permissions guru. |
|
DANS looked this over and tested a bit, so it should be good to go. |
| permission.viewUnpublishedDataset=View an unpublished dataset and its files | ||
| permission.viewUnpublishedDataverse=View an unpublished dataverse | ||
| permission.addDatasetDataverse=Add a dataset to a dataverse | ||
| permission.managePermissionsDatasetFiles=Manage permissions for a dataset's file |
| permission.ViewUnpublishedDataset.desc=View an unpublished dataset and its files | ||
| permission.ViewUnpublishedDataverse.desc=View an unpublished dataverse | ||
| permission.AddDataset.desc=Add a dataset to a dataverse | ||
| permission.ManageFilePermissions.desc=Manage permissions for a file |
There was a problem hiding this comment.
not exactly sure when this is used vs the one without "desc" buty should it match - the others seem to
|
|
||
| public RevokeRoleCommand(RoleAssignment toBeRevoked, DataverseRequest aRequest) { | ||
| // for data file check permission on owning dataset | ||
| // for data file, report affect object as owning dataset |
There was a problem hiding this comment.
See my comment above on permissions, but if we say it applies to files, should the affected object just be the file now?
| return Collections.singletonMap("", | ||
| defPoint instanceof Dataverse ? Collections.singleton(Permission.ManageDataversePermissions) | ||
| : Collections.singleton(Permission.ManageDatasetPermissions)); | ||
| : defPoint instanceof Dataset ? Collections.singleton(Permission.ManageDatasetPermissions) : Collections.singleton(Permission.ManageFilePermissions)); |
There was a problem hiding this comment.
See my comment above on permissions, but if we say it applies to files, should the affected object just be the file now? (added here as github didn't seem to let me add this comment to line 48)
There was a problem hiding this comment.
I chose this because I think that makes it appear as one of the dataset-level permissions you can assign on a dataset. The language is confusing but I think this currently is a dataset-level permission allowing you to grant the individual file-level download permissions.
I think it could be redesigned as a file-level permission to that let's you assign download permissions to that file, but I'm not sure that's needed and it seems like a lot of extra assignment points.
I may be missing something in all of this though.
There was a problem hiding this comment.
So, to be clear - roles are what appear to assign. But yes roles will only show up if they have permissions for your type of object, or lower. So a role with only dataverse level permissions will not show up when you assign a role at the dataset level. BUT do note the "or lower" part. Since roles can cascade down, a role with only file level permissions will still show up when you assign a role at the dataset level. For example, file downloader.
Changing it now to file level won't change anything about the way you have it working, users will still assign these roles at the dataset and it will apply to granting permission for ALL files in that dataset. But it would allow us to some day add a workflow to have someone only grant access to some files.
It seems to me a small enough change - change the level on the permission and the affected object on those two commands, and you can see it will still work as designed for assigning at the dataset.
My vote would be to change this now, BUT if we decide not to change it now; let's add a comment on the permission so we know what we need to to make this change in the future sometime.
There was a problem hiding this comment.
OK but I'm still confused some about the specific change: I can change the object type to DataFile in the Permissions class. Is there anything else?
The Assign/Revoke role commands are reporting the owning Dataset as the object if the role is on a file already - for the DownloadPermission. Changing the ManageFilePermissions to use DataFile, would without further changes, still report it as affecting the owning Dataset. Whereas if I change the commands to report DataFile as the affected object, it would affect DownloadPermission as well. So - any change in the Commands now?
On the UI side, the menu appears/disappears if you have ManageFilePermissions on the Dataset and the canManageFilesOnDataset(Dataset) method checks that Dataset. To really use this on DataFiles, we'd eventually need a canManageFile(DataFile) method as well? (instead?) Is there any change in these areas at this point?
There was a problem hiding this comment.
@qqmyers let's discuss briefly today and we can decide on the change or not and move along.
| DeleteDatasetDraft(BundleUtil.getStringFromBundle("permission.deleteDataset"), true, Dataset.class); | ||
| DeleteDatasetDraft(BundleUtil.getStringFromBundle("permission.deleteDataset"), true, Dataset.class), | ||
| //Update again | ||
| ManageFilePermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDatasetFiles"), true, Dataset.class); |
There was a problem hiding this comment.
I know this was added at the end because easier to change permission bits in db. BUT this does show up in this order in the UI, so I suggest we move it up next to the other Manage perms and redo the SQL script to handle.
Also, should the applies to be datafile (I know for know we will only apply to Dataset and it will cascade down, since otherwise would require some new UI changes), but to future proof in case some day we want to have a role that can only manage permissions on a subset of dataset files?
There was a problem hiding this comment.
This makes sense. I don't have time right now to do this but will try to get to it. Shouldn't be that hard.
There was a problem hiding this comment.
Updated to move the Permission in the enum. Added lots of description in the flyway script to help in reviewing the logic there.
| ManageDataversePermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDataverse"), true, Dataverse.class), | ||
| ManageDatasetPermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDataset"), true, Dataset.class), | ||
| ManageFilePermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDatasetFiles"), true, Dataset.class), | ||
| ManageFilePermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDataFiles"), true, DataFile.class), |
There was a problem hiding this comment.
Very Minor change, but let's make this singular to be in parallel with the others.
| permission.viewUnpublishedDataverse=View an unpublished dataverse | ||
| permission.addDatasetDataverse=Add a dataset to a dataverse | ||
| permission.managePermissionsDatasetFiles=Manage permissions for a dataset's files | ||
| permission.managePermissionsDataFiles=Manage permissions for a dataFile(s) |
There was a problem hiding this comment.
remove the s and there's an extraneous "a"
| permission.ViewUnpublishedDataverse.desc=View an unpublished dataverse | ||
| permission.AddDataset.desc=Add a dataset to a dataverse | ||
| permission.ManageFilePermissions.desc=Manage permissions for a dataset's files | ||
| permission.ManageFilePermissions.desc=Manage permissions for a file(s) |
There was a problem hiding this comment.
remove the s and there's an extraneous "a" (and one above says dataFiles and this says files - let's keep the same still
There was a problem hiding this comment.
Changed the text and moved these next to the dataset/dataverse ones. Note that this line doesn't have an extraneous s (if I understand) - the names of the permissions are plural, but the labels defined for them are a different form and reference a singular object.
scolapasta
left a comment
scolapasta
left a comment
There was a problem hiding this comment.
Changes look good. Thanks.
I saw this went into QA which is great but there are no docs and no release note. From standup yesterday it sounds like we decided that we're not adding a new role in this pull request, which sounds fine. That probably means we don't need any docs. Does it also mean we don't need a release note? Perhaps a release note could at least mention the new ManageFilePermissions permission and indicate UI changes (from above):
|
|
Well, with the core code there would not actually be a UI change - only with a new role that only had one or the other permission. I agree that I don't think we actually need docs (unless we do document already the permissions / roles that exist with that level of detail. As far as release notes, do we normally create a note as part of the PR for a new feature like this if it doesn't actually require anything of the admin? Or does @djbrooke just add some detail for the new "feature" when he creates the notes? |
|
@pdurbin @scolapasta I can add something to this branch, probably at the use case level. Not sure it raises to the level of a big chunk. :) |
|
FWIW: I added a short release note - feel free to use/ignore the text there. |
IQSS/8109-separate-managefilepermissions Conflicts: src/main/java/edu/harvard/iq/dataverse/engine/command/impl/RevokeRoleCommand.java
|
Preliminary testing:
|
6 participants
What this PR does / why we need it:
Adds a new ManageFilePermissions permission defined on datasets that is required to add/revoke FileDownload permissions and view file download requests, etc.
This then allows defining a role that would allow a user to respond to file download requests without also giving them the power to manage the dataset (which allows you to then increase your own permissions on that dataset.)
Any existing roles with the ManageDatasetPermissions permission are updated to also have this new permission (the existing admin and curator roles are the only two standard roles that have the ManageDatasetPermissions permission) via a flyway script and the role definitions for admin and curator ( json files in the scripts/api/data folder) are also updated.
Which issue(s) this PR closes:
Closes #8109
Special notes for your reviewer: Should this PR define a new role that can manage files and not the dataset permissions (i.e. the use case driving the PR) versus having sites create their own custom roles? Any name suggestions?
Suggestions on how to test this:
1)Verify that admins and curators can still add/remove file download permissions (and can do all of the other dataset-level permission assignments as well ).
2) Create a role having the new ManageFilePermissions permission and not the ManageDatasetPermissions, assign a user to that role for a given dataset, and verify that a) that user can see the Permissions/File menu item and not the Permissions/Dataset option, and b) that they can then use the file permissions page to add/revoke file download permissions. Also verify that the user can run the /api/access/datafile/{id}/listRequests and /api/access//datafile/{id}/rejectAccess/{identifier} api calls on that dataset/its files.
3) FWIW: In the db, doing a
select id, perimissionbits::bit(14) from dataverserole;is a useful way to see the bitmap of permissions assigned to a role. What should be happening in the update it that any role with bit 9 should have a new bit 10 with the same value and the existing bit 10-13 values shifted into bits 11-14. Using letters for bit positions (a=1 through m=13):mlkjihgfedcba --> mlkjiihgfedcba
Does this PR introduce a user interface change? If mockups are available, please link/include them here:
Changes the Dataset/Edit Dataset/Permissions menu to only have one option - Dataset or File - if you only have the original ManageDatasetPermissions or the new ManageFilePermissions permission, respectively. (Existing roles which have both permissions after the PR still see a menu with the original two options.).
The new ManageFilePermissions permission shows up in the list for the admin and curator roles where that is shown (e.g. on the permission management dialogs).
Is there a release notes update needed for this change?: probably worth mentioning - will wait to draft until we decide whether there should be a new standard role having this permission or not.
Additional documentation: tbd - same issue as release notes - will wait for decision re: whether there's a new standard role involved.