Re-enable group permissions support

[jamoore]

This ticket is the story umbrella for all the permissions improvements planned for milestone:OMERO-Beta4.2 in order to re-activate group-sharing. Linked tickets are available under [WorkPlan/Permissions]

Items under discussion

The following items are not listed on the WorkPlan page. If they are deemed important for 4.2, they should be moved there. If not, they should either be deleted or moved to their own tickets.

• event on setSecurityContext and on changePermissions(group)
• thumbnails, annotation links, etc. become a new type of object: "shared" (or similar) which don't prevent delete.
• In some cases, automatically convert object's group to the attached to object? (From #1171, is this necessary if other groups are not visible?)

---

See also:

• ​http://openmicroscopy.org/community/viewtopic.php?f=4&t=306
• ​Aug 21 conf call
• ​Sep 04 conf call
• #1171

[jburel]

GUI

• Login: if a user is member of more than one group, data of the last selected group

will be presented. User will then have ability to switch to another group.

• user able to see data of other users if the status of the group is "visible".

[jmoore]

From ​Sep 04 conf call:

 - permissions (Brian)
  -- private space, and a single or multiple public space?
  -- fine for vast majority of people
  -- private space gets rid of PI concept. perhaps via 600
  -- Donald: no private space?
  -- Brian: can you add more than one boss?
  -- Chris: how does this work with the setting a group to public from private?
  -- quickest option:
   --- uesr only in one group
   --- turn group private or public
   --- server ensures graph-consistency, both group_id and permissions
   --- PI or admin can move group to public
   --- UI: need to know group prespective (don't show data)
   --- ADMIN UI: need to allow upgrade to group visible. can't downgrade
    ---- offering upgrade button
    ---- sending email to all the users??
  -- next stage: either private space or multiple groups.
  -- really a testing issue: moving the component/client tests.
   --- get them green
   --- then modify them as expected

[jmoore]

Moving as discussed ​conf call 2009-09-18

[jmoore]

Brief discussion on write with Ola, Josh, Jean-Marie:

• want to keep things simple for the user
• the solution above allows setting on group
• but do we need to let user change write-ability?
• e.g. "make container read-only or full-access"
• J-M: dangerous except for annotations to let change
  • Josh: but Image.description or Shape.color?
• "rwrwrw" not a good idea. But could have a PUBLIC group (with guest)
• for options of groups: rw, rwr, rwrw
• configurable initial groups? Maybe
• users in more than one group? Yes
• more than one PI? Yes
• G/E/P/D/I? Yes, but G is strict (security based), E isn't (could be mixed)
  • Need a way to restrict owner-mixing? Maybe (would be LINK permission)
  • Perhaps handle it via best-practice
  • Possible to distinguish hierarchies and annotations? Hard.
  • Possibly use color codes per user initially.
  • If user filtering, pass back "friend" user list of who was queried?

[jmoore]

Marked tickets #1072 and #1171 as duplicates.

[jmoore]

Maked #203 as a duplicate of this ticket.

[jmoore]

• r6012 Initial work for enabling group sharing
• r6014 removing default permissions (compiling)
• r6015 beginning work on group-pased permission inheritance
• r6016 First version of 4.2-DEV0 with global ExperimenterGroup?
• r6017 Update of 4.2-DEV0 with global GroupExperimenterMap? and
• r6018 setting of group permissions (intermediate)
• r6019 Added GroupSecurityViolation?
• r6020 Modifying SecurityFilter? for consistent graphs
• r6021 Allow root login to non-member groups
• r6022 group-consistent graph test fixes
• r6023 Allow multiple group owners (API support)
• r6024 Global enumerations (no DB upgrade yet)
• r6025 Primary test package
• r6026 test fixes
• r6027 Band-aid fixes for WebAdmin?

[jmoore]

.#1 Permissions 10:28 ([[OmeWork#190]])

 - With Ola
  -- private / public groups, check-box
   --- @How long does it take?
  -- Features to include
   --- Group creation gets toggle
   --- Multiple-owners
   --- List owned-groups on MyAccount
   --- adding checkboxes to "Edit scientist"

 - New things
  -- getSecurityContexts
  -- GroupSecurityViolation
  -- changePermissions
  -- objects global (no owner)
  -- admin don't have to log in as system
  -- multiple owners (unsetGroupOwner, etc)

 - Questions
  -- no-owners? all-owners? toggle?
  -- default/active? (check box to change forever?)
  -- private group viewed by root/pi?
  -- wizard for chgrp & make-private
  -- admin logging into all groups?
  -- initial login? or last login or default?

[jmoore]

.#2 Permissions 11:45 ([[OmeWork#191]])

 - switching group on login
  -- Insight: different user/server list disappears
  -- not so important // need more interaction testing
  -- # of people in multiple group is limited
  -- more important to have ability to see other's data

 - more important...
  -- being able to administer groups while viewing images
  -- j-m: working on lite version of admin

 - active/last-selected/default/"default"
  -- last-selected / default
  -- ExperimenterGroup.name == "default"
   --- name? CHANGE_ME?
   --- documenting deleting/changing name
   --- root redirected to group page? (renaming)
   --- click box for creating a new group?
   --- bin/omero db script to be something other than "default"
  -- existing group identifications
   --- active: group set on the session
   --- default: top of list of groups
   --- last-selected: ?? no storage
  -- issues
   --- pi
   --- scripts
  -- not so important // need more interaction testing

 - other questions
  -- enforcing an owner on a group
  -- pi in private group
   --- read-only? (renderingsettings of user)
   --- move to owner of group?
   --- group-shared/public permissions?
  -- chgrp wizard
   --- possibly needed for upgrade
   --- clarification: no changing READ permissions at object level
   --- use case: archiving

 - demo @ end of week
  -- Thurs. screenshots
  -- couple of users on ola's machine

[jmoore]

Carlos committed r6040 and r6041

[jmoore]

• r6043 non-null constraint on session.defaultPermissions Forcing …
• r6042 Changing "default" group to "CHANGE_ME" for simplicity

[jmoore]

.#1 Permissions prioritized bugs 14:20 ([[OmeWork#194]])

 - Ola
  -- rwr-- mode
   --- doesn't use to WRITE
   --- allow OWNER to call changePermissions()
   --- for now only upgrade
   --- WRITE also is based on group (1776)
   --- PUBLIC group in the next week or two
  -- updateGroup
   --- says permissions must be changed in IAdmin
  -- owner
   --- create group and set owner in one call
   --- addGroupOwners()
   --- removeGroupOwners()
 - Jean-Marie
  -- Shoola is crashing with lastest server (#1777)

[jmoore]

(In [6392]) fix #2055 - checking for matching permissions (see #1434)

[omero]

Dear Sirs,

While trying to upgrade the OMERO database from version 4.1 to version 4.2 by using the script committed on:

​http://trac.openmicroscopy.org.uk/omero/browser/trunk/sql/psql/OMERO4.2-DEV__0/OMERO4.1__0.sql?rev=6068

I get the following error:
omero@omero:/opt/omero_dist/sql/psql/OMERO4.2-DEV__0$ psql -h localhost -U omero < OMERO4.10.sql
Password for user omero:
BEGIN
CREATE FUNCTION

omero_assert_omero4_1_0

---

(1 row)

DROP FUNCTION
INSERT 0 1
ALTER TABLE
ERROR: syntax error at or near "="
LINE 5: AND experimenterid. = groupexperimentermap.child;

ERROR: syntax error at or near "COLUMN"
LINE 1: ALTER TABLE groupexperimentermap SET COLUMN owner NOT NULL;

ERROR: current transaction is aborted, commands ignored until end of transaction block
ERROR: current transaction is aborted, commands ignored until end of transaction block
ERROR: current transaction is aborted, commands ignored until end of transaction block
ERROR: current transaction is aborted, commands ignored until end of transaction block
ROLLBACK

And the upgrade of the database fails. I'm not sure if commenting here is the best way to report this kind of problems, just in case feel free to drop me a line at alessandro.dellavedova<@>ifom-ieo-campus.it

Thank you for your continued efforts in developing OMERO !

Alessandro

[jmoore]

(In [7005]) see #1434 - Improving "MIXED GROUP" exception message

[jmoore]

(In [7041]) fix #2401 - Removing hack needed from before group permissions. See #1434

[jmoore]

(In [7486]) Ignoring all non-system permissions on update (See #1750, #1434)