feature request #7018
Updated by Andreas Kohlbecker over 6 years ago
SpecimenOrObservationBase need to be protected by a SpecimenOrObservationBaseVoter which evaluates CRUD permissions given to users or Groups.
## Permissions and the derivation hierachy
If a per entity authority for a SpecimenOrObservationBase is given to a user the hierarchy of the DerivedUnits becomes important
In case of the Phycobank project a per entity authority is given for the FieldUnit and this permission will intrinsically be propagated to all children in the the derivation tree.
This approach seems to be sufficient for most project workflows. If user is not having the permission to edit the whole derivation tree it can be granted to edit a specific DerivedUnit and will then be able to create and modify all units which are derivatives of the one he is allowed to edit. But this might not be appropriate in all cases:
DerivedUnits and DerivationEvents can form graphs with multiple roots.
~~~
fuA -- duA
\
duAB -- du2
/
fuB -- duB
~~~
In order to modify `du2` it is either necessary to have the per entity authority for
* (1) *(1) `duAB`, as mentioned above, or
* (2) *(2) for `fuA` AND `fuB`.
This second (2) approach is however not feasible with the current `CdmAuthorities` and the `CdmPermissionVoter.furtherVotingDescisions((CdmAuthority cdmAuthority, Object object, Collection<ConfigAttribute> attributes, ValidationResult validationResult)` which is only able to operate on one CdmAuthority at the same time. To make it possible to validate permissions as in (2) it would be needed to pass all `CdmAuthority` for which the voter is responsible for to the furtherVotingDescisions method. ==> handled in #7020 **TODO** new Issue