Context Navigation

← Previous Ticket
Next Ticket →

Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.

Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

User Story #1434 (new)

Opened 15 years ago

Last modified 14 years ago

Re-enable group permissions support — at Version 14

Reported by:	jamoore	Owned by:	jamoore
Priority:	critical	Milestone:	OMERO-Beta4.2
Component:	Security	Keywords:	n.a.
Cc:	jrswedlow, jburel, cxallan, bwzloranger, atarkowska, jmwallach@…, carlos@…	Story Points:	n.a.
Sprint:	n.a.	Importance:	n.a.
Total Remaining Time:	0.0d	Estimated Remaining Time:	n.a.

Description (last modified by jmoore)

Server changes phase 1:

Add "private/public" to EventContext?
choice to make groups public on creation? cF. ticket:1204 (essentially re-opening that ticket)
All new objects are created in current group (warning/exception on explicit) with proper permissions for group
All linked objects are checked for group (warning/exception on mixed group and/or mixed permissions)
No object can be linked to an object of another group, regardless of permissions.
All returned graphs are group-consistent, i.e. consist only of objects from a single group (with the exception of system types)
Admin method to make group public (sends email)
Prevent changing groups to "755" except through API!
Check interaction with runAsAdmin & privileged-tokens. (ie. which has the highest priority)
what happens to root/admin data when linked? automatically put in a matching group since root/admin will be able to read it?

Upgrade:

Make all groups private (currently rw-r-r)
Detect if any data is in a mixed graph and raise exception
Make all group data private (enums?)

Possible changes:

Enumerations made global
IAdmin limits each user to a single group (?)
Remove "default" group
"user" group becomes the "user private space"
thumbnails, annotation links, etc. become a new type of object: "shared" (or similar) which don't prevent delete.

Gui changes:

"Move Y to group" - like the deleteY() methods, this would move an entire graph to a user's "group space". There may need to be some duplicating of tags, etc.

Rollback:

#337 (remove locking)
#1405 (remove configurable default perms)
possibly #1204 (make group global)
possibly #307 (remove 'soft' perms)

See also:

References

Referenced by:

← Requirement (#1854): Permissions
References:
→ Task (#2039): rollback #337 (remove locking) ( Owner: jamoore Remaining Time: 0 ) → Task (#1974): Use Session.useragent for identifying active sessionss ( Owner: jamoore Remaining Time: 0 ) → Task (#2032): Thumbnail caching bugs ( Owner: cxallan Remaining Time: 0 ) → Task (#1801): Thumbnail / Rendering will need to be permissions-aware ( Owner: cxallan Remaining Time: 0 ) → Task (#2196): Throw a SessionException if setSecurityContext called during active method ( Owner: jamoore Remaining Time: 0 ) → Task (#2487): Tag in collaborative groups ( Owner: jburel ) → Task (#2144): SecurityViolation on ExperimenterAnnotationLink ( Owner: jamoore Remaining Time: 0 ) → Task (#1731): Review session.details.permissions usage (4.1 and beyond) ( Owner: jamoore Remaining Time: 0 ) → Task (#2082): Rendering settings and permissions ( Owner: cxallan Remaining Time: 0 ) → Task (#2105): Permissions demo (Sprint 6) ( Owner: cxallan ) → Task (#2031): Permissions demo (Sprint 5) ( Owner: cxallan ) → Task (#1929): Permissions demo (Sprint 4) ( Owner: jburel Remaining Time: 0 ) → Task (#1784): Permissions : problems with Scripting service ( Remaining Time: 0 ) → Task (#1775): Permissions : createGroup from python always leads to public group ( Owner: jamoore ) → Task (#1791): Permissions : User photos broken ( Owner: jamoore Remaining Time: 0 ) → Task (#1783): Permissions : Sensible default permissions for initial groups ( Owner: jamoore Remaining Time: 0 ) → Task (#1771): Permissions : Refine security filter ( Owner: jamoore ) → Task (#1776): Permissions : Prevent inappropriate permission changes in IObjects ( Owner: jamoore ) → Task (#1792): Permissions : Linking restriction is too strict. ( Owner: jamoore ) → Task (#1817): Permissions : Keep track of previous security context ( Owner: jamoore Remaining Time: 0 ) → Task (#1769): Permissions : Handle admin/PI viewing/annotating in private group ( Owner: jamoore ) → Task (#1767): Permissions : Enumerations should be global objects ( Owner: jamoore ) → Task (#1794): Permissions : Define exceptions to standard group permissions (#1434) ( Owner: jamoore Remaining Time: 0 ) → Task (#1764): Permissions : Allow root to login to any group even if not member ( Owner: jamoore ) → Task (#1766): Permissions : Allow group ownership by more than one PI ( Owner: jamoore ) → Task (#1781): Permissions : Allow group owners to manage own group ( Owner: jamoore ) → Task (#1762): Permissions : All returned graphs are group/perms consistent ( Owner: jamoore ) → Task (#1778): Permissions : Add addGroupOwners and removeGroupOwners ( Owner: jamoore ) → Task (#1992): Move to READ-ONLY / READ-LINK rather than READ-WRITE ( Owner: jamoore Remaining Time: 0 ) → Task (#445): Logging in as root with a non-system group prevents administration. ( Owner: jamoore Keywords: login ) → Task (#1975): ISession methods for listing sessions ( Owner: jamoore Remaining Time: 0 ) → Task (#1996): Fix read-write group thumbnail retrieval ( Owner: cxallan Remaining Time: 0 ) → Task (#2295): Document Delete Permissions ( Owner: wmoore ) → Task (#2079): Create-Image Permissions → Task (#2088): Check group/share on setSecurityContext not on use ( Owner: jamoore Remaining Time: 0 ) → Task (#1310): Changing active group ( Owner: jamoore ) → Task (#2008): Bug: Settings reset on another user's image does not work ( Owner: cxallan Remaining Time: 0 ) → Task (#2055): BUG:Feedback 2341 - rating multiple images throws ( Owner: jamoore Remaining Time: 0 ) → Task (#2203): BUG: loadAnnotations not load avatar ( Owner: atarkowska ) → Task (#2269): BUG: group re-relogin not working (Feedback 2389) ( Owner: bwzloranger Remaining Time: 0 ) → Task (#2265): BUG: getEventContext does not recognize read-only group ( Owner: jamoore Remaining Time: 0 ) → Task (#2274): BUG: Thumbnail and caching ( Owner: cxallan ) → Task (#2071): BUG: Thumbnail Permissions ( Owner: cxallan ) → Task (#2038): BUG: Tag loading IMetadata ( Owner: jburel Remaining Time: 0 ) → Task (#2058): BUG: SecurityViolation when updating avatar ( Owner: jamoore Remaining Time: 0 ) → Task (#1798): BUG: SecurityFilter doesn't seem to be applied to ExperimenterAnnotationLink ( Owner: jamoore Remaining Time: 0 ) → Task (#2267): BUG: Plate thumbnails ( Owner: jburel ) → Task (#2195): BUG: Need group info in importer (Feedback 2370) ( Owner: bwzloranger ) → Task (#2063): BUG: NPE when setPixelsId() is called on an unreadable Pixels ID ( Owner: cxallan Remaining Time: 0 ) → Task (#2202): BUG: Importer has inconsistant group login dialog and behaviour ( Owner: bwzloranger Remaining Time: 0 ) → Task (#2497): BUG: IUpdate.indexObject broken for objects not in current group ( Owner: jamoore Remaining Time: 0 ) → Task (#1704): BUG: ISession.update is broken wrt defaultPermissions and perhaps other ( Owner: jamoore Remaining Time: 0 ) → Task (#1779): BUG : permissions of non-group system types is influenced by current group ( Owner: jamoore Remaining Time: 0 ) → Task (#1940): Allow users to login to public groups ( Owner: jamoore Remaining Time: 0 ) → Task (#2040): Add group support back into importer ( Owner: bwzloranger Remaining Time: 0 ) → Task (#2215): Add group icons/text to importer ( Owner: bwzloranger Remaining Time: 0 ) → Task (#967): Add defaultGroup field to Session table. ( Owner: jamoore Remaining Time: 0 )

Change History (14)

comment:1 Changed 15 years ago by jburel

GUI

will be presented. User will then have ability to switch to another group.

user able to see data of other users if the status of the group is "visible".

comment:2 Changed 15 years ago by jmoore

Cc bwzloranger atarkowska added

comment:3 Changed 15 years ago by jmoore

Description modified (diff)

From Sep 04 conf call:

 - permissions (Brian)
  -- private space, and a single or multiple public space?
  -- fine for vast majority of people
  -- private space gets rid of PI concept. perhaps via 600
  -- Donald: no private space?
  -- Brian: can you add more than one boss?
  -- Chris: how does this work with the setting a group to public from private?
  -- quickest option:
   --- uesr only in one group
   --- turn group private or public
   --- server ensures graph-consistency, both group_id and permissions
   --- PI or admin can move group to public
   --- UI: need to know group prespective (don't show data)
   --- ADMIN UI: need to allow upgrade to group visible. can't downgrade
    ---- offering upgrade button
    ---- sending email to all the users??
  -- next stage: either private space or multiple groups.
  -- really a testing issue: moving the component/client tests.
   --- get them green
   --- then modify them as expected

comment:4 Changed 15 years ago by jmoore

Description modified (diff)

comment:5 Changed 15 years ago by jmoore

Description modified (diff)

comment:6 Changed 15 years ago by jmoore

Description modified (diff)

comment:7 Changed 15 years ago by jmoore

Description modified (diff)

comment:8 Changed 15 years ago by jmoore

Description modified (diff)

comment:9 Changed 15 years ago by jmoore

Milestone changed from OMERO-Beta4.1 to OMERO-Beta4.2

Moving as discussed conf call 2009-09-18

comment:10 Changed 14 years ago by jmoore

Description modified (diff)

comment:11 Changed 14 years ago by jmoore

Description modified (diff)

comment:12 Changed 14 years ago by jmoore

Description modified (diff)

comment:13 Changed 14 years ago by jmoore

Description modified (diff)

comment:14 Changed 14 years ago by jmoore

Description modified (diff)

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

Download in other formats: