feature request #7018
implement a CdmPermissionVoter and default authorities for SpecimenOrObservationBase
SpecimenOrObservationBase need to be protected by a SpecimenOrObservationBaseVoter which evaluates CRUD permissions given to users or Groups.
Permissions and the derivation hierachy¶
If a per entity authority for a SpecimenOrObservationBase is given to a user the hierarchy of the DerivedUnits becomes important
In case of the Phycobank project a per entity authority is given for the FieldUnit and this permission will intrinsically be propagated to all children in the the derivation tree.
This approach seems to be sufficient for most project workflows. If user is not having the permission to edit the whole derivation tree it can be granted to edit a specific DerivedUnit and will then be able to create and modify all units which are derivatives of the one he is allowed to edit. But this might not be appropriate in all cases:
DerivedUnits and DerivationEvents can form graphs with multiple roots.
fuA -- duA \ duAB -- du2 / fuB -- duB
In order to modify
du2 it is either necessary to have the per entity authority for
duAB, as mentioned above, or
- (2) for
This second (2) approach is however not feasible with the current
CdmAuthorities and the
CdmPermissionVoter.furtherVotingDescisions((CdmAuthority cdmAuthority, Object object, Collection<ConfigAttribute> attributes, ValidationResult validationResult) which is only able to operate on one CdmAuthority at the same time. To make it possible to validate permissions as in (2) it would be needed to pass all
CdmAuthority for which the voter is responsible for to the furtherVotingDescisions method. ==> handled in #7020