User Story #1434 (new)
Opened 15 years ago
Last modified 14 years ago
Re-enable group permissions support — at Version 14
Reported by: | jamoore | Owned by: | jamoore |
---|---|---|---|
Priority: | critical | Milestone: | OMERO-Beta4.2 |
Component: | Security | Keywords: | n.a. |
Cc: | jrswedlow, jburel, cxallan, bwzloranger, atarkowska, jmwallach@…, carlos@… | Story Points: | n.a. |
Sprint: | n.a. | Importance: | n.a. |
Total Remaining Time: | 0.0d | Estimated Remaining Time: | n.a. |
Description (last modified by jmoore)
Server changes phase 1:
- Add "private/public" to EventContext?
- choice to make groups public on creation? cF. ticket:1204 (essentially re-opening that ticket)
- All new objects are created in current group (warning/exception on explicit) with proper permissions for group
- All linked objects are checked for group (warning/exception on mixed group and/or mixed permissions)
- No object can be linked to an object of another group, regardless of permissions.
- All returned graphs are group-consistent, i.e. consist only of objects from a single group (with the exception of system types)
- Admin method to make group public (sends email)
- Prevent changing groups to "755" except through API!
- Check interaction with runAsAdmin & privileged-tokens. (ie. which has the highest priority)
- what happens to root/admin data when linked? automatically put in a matching group since root/admin will be able to read it?
Upgrade:
- Make all groups private (currently rw-r-r)
- Detect if any data is in a mixed graph and raise exception
- Make all group data private (enums?)
Possible changes:
- Enumerations made global
- IAdmin limits each user to a single group (?)
- Remove "default" group
- "user" group becomes the "user private space"
- thumbnails, annotation links, etc. become a new type of object: "shared" (or similar) which don't prevent delete.
Gui changes:
- "Move Y to group" - like the deleteY() methods, this would move an entire graph to a user's "group space". There may need to be some duplicating of tags, etc.
- Login option: "private space" or "group space"
Rollback:
- #337 (remove locking)
- #1405 (remove configurable default perms)
- possibly #1204 (make group global)
- possibly #307 (remove 'soft' perms)
See also:
Change History (14)
comment:1 Changed 15 years ago by jburel
comment:2 Changed 15 years ago by jmoore
- Cc bwzloranger atarkowska added
comment:3 Changed 15 years ago by jmoore
- Description modified (diff)
From Sep 04 conf call:
- permissions (Brian) -- private space, and a single or multiple public space? -- fine for vast majority of people -- private space gets rid of PI concept. perhaps via 600 -- Donald: no private space? -- Brian: can you add more than one boss? -- Chris: how does this work with the setting a group to public from private? -- quickest option: --- uesr only in one group --- turn group private or public --- server ensures graph-consistency, both group_id and permissions --- PI or admin can move group to public --- UI: need to know group prespective (don't show data) --- ADMIN UI: need to allow upgrade to group visible. can't downgrade ---- offering upgrade button ---- sending email to all the users?? -- next stage: either private space or multiple groups. -- really a testing issue: moving the component/client tests. --- get them green --- then modify them as expected
comment:4 Changed 15 years ago by jmoore
- Description modified (diff)
comment:5 Changed 15 years ago by jmoore
- Description modified (diff)
comment:6 Changed 15 years ago by jmoore
- Description modified (diff)
comment:7 Changed 15 years ago by jmoore
- Description modified (diff)
comment:8 Changed 15 years ago by jmoore
- Description modified (diff)
comment:9 Changed 15 years ago by jmoore
- Milestone changed from OMERO-Beta4.1 to OMERO-Beta4.2
Moving as discussed conf call 2009-09-18
comment:10 Changed 14 years ago by jmoore
- Description modified (diff)
comment:11 Changed 14 years ago by jmoore
- Description modified (diff)
comment:12 Changed 14 years ago by jmoore
- Description modified (diff)
comment:13 Changed 14 years ago by jmoore
- Description modified (diff)
comment:14 Changed 14 years ago by jmoore
- Description modified (diff)
Note: See
TracTickets for help on using
tickets.
You may also have a look at Agilo extensions to the ticket.
GUI
will be presented. User will then have ability to switch to another group.