bug #7390

Updated by Andreas Kohlbecker almost 2 years ago

When a user is only having per entity grants to UPDATE TaxonNames adding a basionym to a taxonname may fail:

* TaxonName "Beta exemplaris" for which the user has the **UPDATE** authority
* TaxonName "Alpha exemplaris" for which the user is not having the update permission.

Adding "Alpha exemplaris" as basionym to "Beta exemplaris" will fail in this situation during the hibernate session flush since the new basionym name relationships will be added to both of the taxon names. This operation should be possible, though. The scientific name at the *from*-side (that is the basionym) of the name relation is not altered by using it as a basionym for another name.

The same issue exists also replaced synonym relations!

Possible solutions:

* **General solution:**
* Skip the permission check for name relations at the from-side for basionym and replaced-synonym relations. How about other relations? (This can be reached e.g. by removing the according Cascade)
* Introduce a new permission concept like *privileged access* for updates: *priviledged update*? (see SAP)
* **Application specific**: Temporarily grant the UPDATE authority to the user performing the operations in the client application. Grant before flushing the session and remove the grant afterwards. Use a try-catch-finally clause where the withdrawal of the temporary permission is done in the finally clause. --> #7391

see also [[WorkshopRightsAndRoles2017-11]]


Add picture from clipboard (Maximum size: 40 MB)