Project

General

Profile

Actions
Copy link

feature request #3709

open

[E+M][Editor] sufficient rights management for E+M workflow

Added by Andreas Kohlbecker over 10 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Highest
Assignee:
Andreas Müller
Category:
taxeditor
Target version:
Release 5.45
Start date:
Due date:
% Done:

80%

Estimated time:
20:00 h
Severity:
major
Tags:
euro+med migration permission

Description

Implement rights management and roles etc. which is needed for the E+M workflow:

Groups and Authorities

In ticket #4082 (implement default permission groups) the default PermissionGroups habe been implemented for Eumed ( and hopefully also for other databases). These default permission groups have to be combined and others have to be created manually in order to create the effective user groups for euro + med, which are:

  1. das Editorial Board, das Lese- und Schreibrechte auf sämtlichen Daten hat (ROLE_PUBLISH + group ProjectManager + group Editor + group Euro+Med Plantbase")

  2. die einzelnen Autoren, die Lese-und Schreibrechte für ihre jeweilige taxonomische Gruppe (Familie, Gattung etc. mit allen darin enthaltenen Taxa) haben, aber zum Beispiel keine neuen bibliographischen Referenzen (etwa für geographische Angaben) editiern, hinzufügen oder löschen dürfen - nomenklatorische Referenzen dürfen sie hinzufügen, aber bestehende Referenzen nicht ändern oder löschen.

Im CDM sollen Autoren aber grundsätzlich Referenzen anlegen dürfen. Sie müssen dann eben prüfen, ob die Referenz schon existiert! (group Editor + group __"))

  1. Eine dritte Ebene betrifft die Eingabe von Common Names - diese Nutzer dürfen an der Taxonomie und den Namen nichts ändern, sondern lediglich Informationen (factual data) mit entsprechenden bibl. Referenzen hinzufügen.

Additional Groups:

Group Euro+Med Plantbase:

TAXONNODE.[CREATE,READ,UPDATE,DELETE]

Group **:

TAXONNODE.[CREATE,READ,UPDATE,DELETE]{$uuid}

see also milestone Taxeditor-security

Requirements

  • protect cdm types with CdmAuthorities:

    • Taxon - OK
    • TaxonNode - OK
    • Terms - TODO: Group Editor = TERMBASE[CREATE,READ]; new Group Project_Admin = ROLE_PROJECT_MANAGER, TERMBASE[CREATE,READ,UPDATE;DELETE]
    • References - TODO Group Editor = REFERENCE[CREATE,READ]; new Group Project_Admin = ROLE_PROJECT_MANAGER, REFERENCE[CREATE,READ,UPDATE;DELETE]
    • Names - TODO Group Editor = TAXONNAMEBASE[CREATE,READ]; new Group Project_Admin = ROLE_PROJECT_MANAGER, TAXONNAMEBASE[CREATE,READ,UPDATE;DELETE]

  • Restrict permission to edit, create, remove taxa can be restricted to one or multiple taxonomic groups - seems to be working -but the editor displays aggressive and technical error dialogues in case a user dares to execute a prohibited operation-. Three actions need be taken to improve this situation:

  1. #4056 (taxeditor responds with nicer dialogue in case a user executes a prohibited operation)

  2. #3781 (Protect new and delete TaxonNode commands [DISCUSS])

  3. #4055 (operations offered by editor adapt to the users granted authorities) - UNDER REVIEW

  4. #4111 (behaviour of TaxonEditor for users with limited grants [DISCUSS])

  5. a bug: #4115 ('editor' users cannot create new references via the reference select list)

  • Publish flag: A person allowed to edit a taxonomic group should not at the same time be allowed to publish this taxon. Therefore a special PUBLISH role is needed, which can be global or bound to a classification:

    • publish flag in cdmlib: #1780 (Publish bit instead of marker)
    • #4101 (publish bit must not set by default for new taxa)
    • permission management: #3980 (Implement PUBLISH role into cdmlib security)
    • editor: #3739 (Allow editing of publish bit for Taxon and SpecimenOrObservationBase), #3951 (Allow editing of publish bit for SpecimenOrObservationBase), #4011 (disallow changing publish flag for users with unsuffcient rights)
    • #4132 (automatic setting of the publish flag after editing an entity ([DISCUSS])
    • #4133 (publish flag inheritance for new taxa [DISCUSS])

  • Users, Groups and Granted authorities can be more or less easily managed:

    • #2282 (Implement User and Group Management facilities in the Taxonomic Editor)
    • #2414 (Group updating doesn't work)
    • #3782 (Security Context is not updated after editing GrantedAuthorities of a Group)
    • #4082 (implement default permission groups)
    • lower priority tickets:
    • #4013 (GrantedAuthority: Humane label of TaxonNode authorities)
    • #4014 (user friendly way to assign Authotity Roles to users or to Groups)
    • #4052 (disentangle Group, Role, CdmAuthority, GrantedAuthorityImpl, ...)
    • #4054 (Taxeditor, Group Bulkeditor cannot delete Group)

Related issues

Related to EDIT - feature request #4101: Default value for publish bit of new taxa must be configurable via DB preferencesClosedKatja Luther

Actions
Related to EDIT - feature request #4011: disallow changing publish flag for users with unsuffcient rightsWorksformeKatja Luther03/11/202203/18/2022

Actions
Related to EDIT - feature request #4133: publish flag inheritance for new taxa [DISCUSS]DuplicateAndreas Müller

Actions
Related to EDIT - feature request #4014: User friendly way to assign Authority Roles to users or to GroupsNewAndreas Kohlbecker

Actions
Related to EDIT - feature request #5873: Implement rights&roles for TaxEditor distribution editorIn ProgressKatja Luther

Actions
Related to EDIT - feature request #6162: Implement "Forgot your password?" button in the Taxeditor connect dialog NewKatja Luther

Actions
Related to EDIT - task #3560: Withheld unpublished taxa from webservice used in E+M dataportalResolvedAndreas Müller

Actions
Related to EDIT - feature request #4305: newly created entities must stay editable even if a user only has the permission to create themIn ProgressAndreas Kohlbecker

Actions
Related to EDIT - feature request #8239: Rights issues in TaxEditorNewKatja Luther

Actions
Actions
Copy link

Also available in: Atom PDF