Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.
Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

User Story #1434 (closed)

Opened 12 years ago

Closed 11 years ago

Re-enable group permissions support

Reported by: jamoore Owned by: jamoore
Priority: critical Milestone: OMERO-Beta4.2
Component: Security Keywords: n.a.
Cc: jrswedlow, jburel, cxallan, bwzloranger, atarkowska, jmwallach@…, carlos@… Story Points: n.a.
Sprint: n.a. Importance: n.a.
Total Remaining Time: 0.0d Estimated Remaining Time: n.a.

Description (last modified by jmoore)

This ticket is the story umbrella for all the permissions improvements planned for milestone:OMERO-Beta4.2 in order to re-activate group-sharing. Linked tickets are available under [WorkPlan/Permissions]

Items under discussion

The following items are not listed on the WorkPlan page. If they are deemed important for 4.2, they should be moved there. If not, they should either be deleted or moved to their own tickets.

  • event on setSecurityContext and on changePermissions(group)
  • thumbnails, annotation links, etc. become a new type of object: "shared" (or similar) which don't prevent delete.
  • In some cases, automatically convert object's group to the attached to object? (From #1171, is this necessary if other groups are not visible?)

See also:

Change History (35)

comment:1 Changed 12 years ago by jburel

GUI

  • Login: if a user is member of more than one group, data of the last selected group

will be presented. User will then have ability to switch to another group.

  • user able to see data of other users if the status of the group is "visible".

comment:2 Changed 12 years ago by jmoore

  • Cc bwzloranger atarkowska added

comment:3 Changed 12 years ago by jmoore

  • Description modified (diff)

From Sep 04 conf call:

 - permissions (Brian)
  -- private space, and a single or multiple public space?
  -- fine for vast majority of people
  -- private space gets rid of PI concept. perhaps via 600
  -- Donald: no private space?
  -- Brian: can you add more than one boss?
  -- Chris: how does this work with the setting a group to public from private?
  -- quickest option:
   --- uesr only in one group
   --- turn group private or public
   --- server ensures graph-consistency, both group_id and permissions
   --- PI or admin can move group to public
   --- UI: need to know group prespective (don't show data)
   --- ADMIN UI: need to allow upgrade to group visible. can't downgrade
    ---- offering upgrade button
    ---- sending email to all the users??
  -- next stage: either private space or multiple groups.
  -- really a testing issue: moving the component/client tests.
   --- get them green
   --- then modify them as expected

comment:4 Changed 12 years ago by jmoore

  • Description modified (diff)

comment:5 Changed 12 years ago by jmoore

  • Description modified (diff)

comment:6 Changed 12 years ago by jmoore

  • Description modified (diff)

comment:7 Changed 12 years ago by jmoore

  • Description modified (diff)

comment:8 Changed 12 years ago by jmoore

  • Description modified (diff)

comment:9 Changed 12 years ago by jmoore

  • Milestone changed from OMERO-Beta4.1 to OMERO-Beta4.2

Moving as discussed conf call 2009-09-18

comment:10 Changed 12 years ago by jmoore

  • Description modified (diff)

comment:11 Changed 12 years ago by jmoore

  • Description modified (diff)

comment:12 Changed 12 years ago by jmoore

  • Description modified (diff)

comment:13 Changed 12 years ago by jmoore

  • Description modified (diff)

comment:14 Changed 12 years ago by jmoore

  • Description modified (diff)

comment:15 Changed 12 years ago by jmoore

Brief discussion on write with Ola, Josh, Jean-Marie:

  • want to keep things simple for the user
  • the solution above allows setting on group
  • but do we need to let user change write-ability?
  • e.g. "make container read-only or full-access"
  • J-M: dangerous except for annotations to let change
    • Josh: but Image.description or Shape.color?
  • "rwrwrw" not a good idea. But could have a PUBLIC group (with guest)
  • for options of groups: rw, rwr, rwrw
  • configurable initial groups? Maybe
  • users in more than one group? Yes
  • more than one PI? Yes
  • G/E/P/D/I? Yes, but G is strict (security based), E isn't (could be mixed)
    • Need a way to restrict owner-mixing? Maybe (would be LINK permission)
    • Perhaps handle it via best-practice
    • Possible to distinguish hierarchies and annotations? Hard.
    • Possibly use color codes per user initially.
    • If user filtering, pass back "friend" user list of who was queried?

comment:16 Changed 12 years ago by jmoore

  • Cc jmwallach@… added

comment:17 Changed 12 years ago by jmoore

  • Description modified (diff)

comment:18 Changed 12 years ago by jmoore

Marked tickets #1072 and #1171 as duplicates.

comment:19 Changed 12 years ago by jmoore

  • Description modified (diff)

comment:20 Changed 12 years ago by jmoore

  • Description modified (diff)

Maked #203 as a duplicate of this ticket.

comment:21 Changed 12 years ago by jmoore

  • Description modified (diff)

comment:22 Changed 11 years ago by jmoore

  • Description modified (diff)

comment:23 Changed 11 years ago by jmoore

comment:24 Changed 11 years ago by jmoore

.#1 Permissions 10:28 ([[OmeWork#190]])

 - With Ola
  -- private / public groups, check-box
   --- @How long does it take?
  -- Features to include
   --- Group creation gets toggle
   --- Multiple-owners
   --- List owned-groups on MyAccount
   --- adding checkboxes to "Edit scientist"

 - New things
  -- getSecurityContexts
  -- GroupSecurityViolation
  -- changePermissions
  -- objects global (no owner)
  -- admin don't have to log in as system
  -- multiple owners (unsetGroupOwner, etc)

 - Questions
  -- no-owners? all-owners? toggle?
  -- default/active? (check box to change forever?)
  -- private group viewed by root/pi?
  -- wizard for chgrp & make-private
  -- admin logging into all groups?
  -- initial login? or last login or default?

comment:25 Changed 11 years ago by jmoore

.#2 Permissions 11:45 ([[OmeWork#191]])

 - switching group on login
  -- Insight: different user/server list disappears
  -- not so important // need more interaction testing
  -- # of people in multiple group is limited
  -- more important to have ability to see other's data

 - more important...
  -- being able to administer groups while viewing images
  -- j-m: working on lite version of admin

 - active/last-selected/default/"default"
  -- last-selected / default
  -- ExperimenterGroup.name == "default"
   --- name? CHANGE_ME?
   --- documenting deleting/changing name
   --- root redirected to group page? (renaming)
   --- click box for creating a new group?
   --- bin/omero db script to be something other than "default"
  -- existing group identifications
   --- active: group set on the session
   --- default: top of list of groups
   --- last-selected: ?? no storage
  -- issues
   --- pi
   --- scripts
  -- not so important // need more interaction testing

 - other questions
  -- enforcing an owner on a group
  -- pi in private group
   --- read-only? (renderingsettings of user)
   --- move to owner of group?
   --- group-shared/public permissions?
  -- chgrp wizard
   --- possibly needed for upgrade
   --- clarification: no changing READ permissions at object level
   --- use case: archiving

 - demo @ end of week
  -- Thurs. screenshots
  -- couple of users on ola's machine

comment:26 Changed 11 years ago by jmoore

  • Cc carlos@… added

Carlos committed r6040 and r6041

comment:27 Changed 11 years ago by jmoore

  • r6043 non-null constraint on session.defaultPermissions Forcing …
  • r6042 Changing "default" group to "CHANGE_ME" for simplicity

comment:28 Changed 11 years ago by jmoore

.#1 Permissions prioritized bugs 14:20 ([[OmeWork#194]])

 - Ola
  -- rwr-- mode
   --- doesn't use to WRITE
   --- allow OWNER to call changePermissions()
   --- for now only upgrade
   --- WRITE also is based on group (1776)
   --- PUBLIC group in the next week or two
  -- updateGroup
   --- says permissions must be changed in IAdmin
  -- owner
   --- create group and set owner in one call
   --- addGroupOwners()
   --- removeGroupOwners()
 - Jean-Marie
  -- Shoola is crashing with lastest server (#1777)

comment:29 Changed 11 years ago by jmoore

comment:30 Changed 11 years ago by jmoore

(In [6392]) fix #2055 - checking for matching permissions (see #1434)

comment:31 Changed 11 years ago by omero

Dear Sirs,

While trying to upgrade the OMERO database from version 4.1 to version 4.2 by using the script committed on:

http://trac.openmicroscopy.org.uk/omero/browser/trunk/sql/psql/OMERO4.2-DEV__0/OMERO4.1__0.sql?rev=6068

I get the following error:
omero@omero:/opt/omero_dist/sql/psql/OMERO4.2-DEV__0$ psql -h localhost -U omero < OMERO4.10.sql
Password for user omero:
BEGIN
CREATE FUNCTION

omero_assert_omero4_1_0



(1 row)

DROP FUNCTION
INSERT 0 1
ALTER TABLE
ERROR: syntax error at or near "="
LINE 5: AND experimenterid. = groupexperimentermap.child;


ERROR: syntax error at or near "COLUMN"
LINE 1: ALTER TABLE groupexperimentermap SET COLUMN owner NOT NULL;


ERROR: current transaction is aborted, commands ignored until end of transaction block
ERROR: current transaction is aborted, commands ignored until end of transaction block
ERROR: current transaction is aborted, commands ignored until end of transaction block
ERROR: current transaction is aborted, commands ignored until end of transaction block
ROLLBACK

And the upgrade of the database fails. I'm not sure if commenting here is the best way to report this kind of problems, just in case feel free to drop me a line at alessandro.dellavedova<@>ifom-ieo-campus.it

Thank you for your continued efforts in developing OMERO !

Alessandro

comment:32 Changed 11 years ago by jmoore

(In [7005]) see #1434 - Improving "MIXED GROUP" exception message

comment:33 Changed 11 years ago by jmoore

(In [7041]) fix #2401 - Removing hack needed from before group permissions. See #1434

comment:34 Changed 11 years ago by jmoore

(In [7486]) Ignoring all non-system permissions on update (See #1750, #1434)

comment:35 Changed 11 years ago by jmoore

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.189331 sec.)

We're Hiring!