feature request #6867
explicitely assign and revoke UPDATE & DELETE permission per enitity in the registration workflow
After an in depth discussion in #4305 we decided that for phyconbank the strategy D) (per instance UPDATE & DELETE permission) would be the most appropriate:
- a submitter will the per instance UPDATE+DELETE permission when he creates a Reference, TeamOrPersonBase, Name instance.
- once a registration is set to the states
publishedthe UPDATE+DELETE permission must be revoked again, so that the registered name and references are protected from being changed after the editing registration workflow has ended.
The NOTE: It is more reliable to implement the revoking of permissions in a
RegistrationManager (#6655) will be responsible for assigning and revoking of authorities.
GrantedAuthorityRevokingRegistrationUpdateListener which has been implemented with for #7148 in cdm-vaadin|af48539c
For the future is might be good idea to move the assignment of authorities into the cdmlib istelf:
ExtendedCreatePermissionManager. This implements listener interfaces
Interceptorto be able to act when a newly created instance of Reference, TeamOrPersonBase, Name, ... is being saved, see #7147
RegistrationStateChangeEventListerto be noticed when the registration state is changed to
publishedso that the permissions can be revoked. ==> this has been implemented as Hibernate PostUpdateEventListener the
ref #6867 RegistrationWorkingsetEditor: granting UPDATE permissions for SpecimenOrObservationBase entities
ref #6867 using runAsAuthentication ROLE_USERMANAGER to grant per entity authorities
ref #6867 generic failsave mechanism to grant per entity permission in CdmPopupEditors
ref #6867 assigning UPDATE,DELETE for new Persons and Teams and fixing bugs related to TeamOrPersonField:
- prevent from saving empty persons and teams
ref #6867 extending the CdmPermissionClass enum and CdmAuthority support for sets