EDIT

Implement rights management and roles etc. which is needed for the E+M workflow:

Groups and Authorities¶

In ticket #4082 (implement default permission groups) the default PermissionGroups habe been implemented for Eumed ( and hopefully also for other databases). These default permission groups have to be combined and others have to be created manually in order to create the effective user groups for euro + med, which are:

1. das Editorial Board, das Lese- und Schreibrechte auf sämtlichen Daten hat (ROLE_PUBLISH + group ProjectManager + group Editor + group Euro+Med Plantbase")

2. die einzelnen Autoren, die Lese-und Schreibrechte für ihre jeweilige taxonomische Gruppe (Familie, Gattung etc. mit allen darin enthaltenen Taxa) haben, aber zum Beispiel keine neuen bibliographischen Referenzen (etwa für geographische Angaben) editiern, hinzufügen oder löschen dürfen - nomenklatorische Referenzen dürfen sie hinzufügen, aber bestehende Referenzen nicht ändern oder löschen.

Im CDM sollen Autoren aber grundsätzlich Referenzen anlegen dürfen. Sie müssen dann eben prüfen, ob die Referenz schon existiert! (group Editor + group __"))

1. Eine dritte Ebene betrifft die Eingabe von Common Names - diese Nutzer dürfen an der Taxonomie und den Namen nichts ändern, sondern lediglich Informationen (factual data) mit entsprechenden bibl. Referenzen hinzufügen.

Additional Groups:

Group Euro+Med Plantbase:

TAXONNODE.[CREATE,READ,UPDATE,DELETE]

Group **:

TAXONNODE.[CREATE,READ,UPDATE,DELETE]{$uuid}

see also milestone Taxeditor-security

Requirements¶

• protect cdm types with CdmAuthorities:

  • Taxon - OK
  • TaxonNode - OK
  • Terms - TODO: Group Editor = TERMBASE[CREATE,READ]; new Group Project_Admin = ROLE_PROJECT_MANAGER, TERMBASE[CREATE,READ,UPDATE;DELETE]
  • References - TODO Group Editor = REFERENCE[CREATE,READ]; new Group Project_Admin = ROLE_PROJECT_MANAGER, REFERENCE[CREATE,READ,UPDATE;DELETE]
  • Names - TODO Group Editor = TAXONNAMEBASE[CREATE,READ]; new Group Project_Admin = ROLE_PROJECT_MANAGER, TAXONNAMEBASE[CREATE,READ,UPDATE;DELETE]

• Restrict permission to edit, create, remove taxa can be restricted to one or multiple taxonomic groups - seems to be working -but the editor displays aggressive and technical error dialogues in case a user dares to execute a prohibited operation-. Three actions need be taken to improve this situation:

1. #4056 (taxeditor responds with nicer dialogue in case a user executes a prohibited operation)

2. #3781 (Protect new and delete TaxonNode commands [DISCUSS])

3. #4055 (operations offered by editor adapt to the users granted authorities) - UNDER REVIEW

4. #4111 (behaviour of TaxonEditor for users with limited grants [DISCUSS])

5. a bug: #4115 ('editor' users cannot create new references via the reference select list)

• Publish flag: A person allowed to edit a taxonomic group should not at the same time be allowed to publish this taxon. Therefore a special PUBLISH role is needed, which can be global or bound to a classification:

  • publish flag in cdmlib: #1780 (Publish bit instead of marker)
  • #4101 (publish bit must not set by default for new taxa)
  • permission management: #3980 (Implement PUBLISH role into cdmlib security)
  • editor: #3739 (Allow editing of publish bit for Taxon and SpecimenOrObservationBase), #3951 (Allow editing of publish bit for SpecimenOrObservationBase), #4011 (disallow changing publish flag for users with unsuffcient rights)
  • #4132 (automatic setting of the publish flag after editing an entity ([DISCUSS])
  • #4133 (publish flag inheritance for new taxa [DISCUSS])

• Users, Groups and Granted authorities can be more or less easily managed:

  • #2282 (Implement User and Group Management facilities in the Taxonomic Editor)
  • #2414 (Group updating doesn't work)
  • #3782 (Security Context is not updated after editing GrantedAuthorities of a Group)
  • #4082 (implement default permission groups)
  • lower priority tickets:
  • #4013 (GrantedAuthority: Humane label of TaxonNode authorities)
  • #4014 (user friendly way to assign Authotity Roles to users or to Groups)
  • #4052 (disentangle Group, Role, CdmAuthority, GrantedAuthorityImpl, ...)
  • #4054 (Taxeditor, Group Bulkeditor cannot delete Group)