Context Navigation

← Previous Ticket
Next Ticket →

Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.

Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

User Story #1434 (new)

Opened 15 years ago

Last modified 14 years ago

Re-enable group permissions support — at Version 21

Reported by:	jamoore	Owned by:	jamoore
Priority:	critical	Milestone:	OMERO-Beta4.2
Component:	Security	Keywords:	n.a.
Cc:	jrswedlow, jburel, cxallan, bwzloranger, atarkowska, jmwallach@…, carlos@…	Story Points:	n.a.
Sprint:	n.a.	Importance:	n.a.
Total Remaining Time:	0.0d	Estimated Remaining Time:	n.a.

Description (last modified by jmoore)

This ticket is the story umbrella for all the permissions improvements planned for milestone:OMERO-Beta4.2 in order to re-activate group-sharing. Linked tickets are available under [WorkPlan/Permissions]

Items under discussion

The following items are not listed on the WorkPlan page. If they are deemed important for 4.2, they should be moved there. If not, they should either be deleted or moved to their own tickets.

thumbnails, annotation links, etc. become a new type of object: "shared" (or similar) which don't prevent delete.
In some cases, automatically convert object's group to the attached to object? (From #1171, is this necessary if other groups are not visible?)

See also:

References

Referenced by:

← Requirement (#1854): Permissions
References:
→ Task (#2039): rollback #337 (remove locking) ( Owner: jamoore Remaining Time: 0 ) → Task (#1974): Use Session.useragent for identifying active sessionss ( Owner: jamoore Remaining Time: 0 ) → Task (#2032): Thumbnail caching bugs ( Owner: cxallan Remaining Time: 0 ) → Task (#1801): Thumbnail / Rendering will need to be permissions-aware ( Owner: cxallan Remaining Time: 0 ) → Task (#2196): Throw a SessionException if setSecurityContext called during active method ( Owner: jamoore Remaining Time: 0 ) → Task (#2487): Tag in collaborative groups ( Owner: jburel ) → Task (#2144): SecurityViolation on ExperimenterAnnotationLink ( Owner: jamoore Remaining Time: 0 ) → Task (#1731): Review session.details.permissions usage (4.1 and beyond) ( Owner: jamoore Remaining Time: 0 ) → Task (#2082): Rendering settings and permissions ( Owner: cxallan Remaining Time: 0 ) → Task (#2105): Permissions demo (Sprint 6) ( Owner: cxallan ) → Task (#2031): Permissions demo (Sprint 5) ( Owner: cxallan ) → Task (#1929): Permissions demo (Sprint 4) ( Owner: jburel Remaining Time: 0 ) → Task (#1784): Permissions : problems with Scripting service ( Remaining Time: 0 ) → Task (#1775): Permissions : createGroup from python always leads to public group ( Owner: jamoore ) → Task (#1791): Permissions : User photos broken ( Owner: jamoore Remaining Time: 0 ) → Task (#1783): Permissions : Sensible default permissions for initial groups ( Owner: jamoore Remaining Time: 0 ) → Task (#1771): Permissions : Refine security filter ( Owner: jamoore ) → Task (#1776): Permissions : Prevent inappropriate permission changes in IObjects ( Owner: jamoore ) → Task (#1792): Permissions : Linking restriction is too strict. ( Owner: jamoore ) → Task (#1817): Permissions : Keep track of previous security context ( Owner: jamoore Remaining Time: 0 ) → Task (#1769): Permissions : Handle admin/PI viewing/annotating in private group ( Owner: jamoore ) → Task (#1767): Permissions : Enumerations should be global objects ( Owner: jamoore ) → Task (#1794): Permissions : Define exceptions to standard group permissions (#1434) ( Owner: jamoore Remaining Time: 0 ) → Task (#1764): Permissions : Allow root to login to any group even if not member ( Owner: jamoore ) → Task (#1766): Permissions : Allow group ownership by more than one PI ( Owner: jamoore ) → Task (#1781): Permissions : Allow group owners to manage own group ( Owner: jamoore ) → Task (#1762): Permissions : All returned graphs are group/perms consistent ( Owner: jamoore ) → Task (#1778): Permissions : Add addGroupOwners and removeGroupOwners ( Owner: jamoore ) → Task (#1992): Move to READ-ONLY / READ-LINK rather than READ-WRITE ( Owner: jamoore Remaining Time: 0 ) → Task (#445): Logging in as root with a non-system group prevents administration. ( Owner: jamoore Keywords: login ) → Task (#1975): ISession methods for listing sessions ( Owner: jamoore Remaining Time: 0 ) → Task (#1996): Fix read-write group thumbnail retrieval ( Owner: cxallan Remaining Time: 0 ) → Task (#2295): Document Delete Permissions ( Owner: wmoore ) → Task (#2079): Create-Image Permissions → Task (#2088): Check group/share on setSecurityContext not on use ( Owner: jamoore Remaining Time: 0 ) → Task (#1310): Changing active group ( Owner: jamoore ) → Task (#2008): Bug: Settings reset on another user's image does not work ( Owner: cxallan Remaining Time: 0 ) → Task (#2055): BUG:Feedback 2341 - rating multiple images throws ( Owner: jamoore Remaining Time: 0 ) → Task (#2203): BUG: loadAnnotations not load avatar ( Owner: atarkowska ) → Task (#2269): BUG: group re-relogin not working (Feedback 2389) ( Owner: bwzloranger Remaining Time: 0 ) → Task (#2265): BUG: getEventContext does not recognize read-only group ( Owner: jamoore Remaining Time: 0 ) → Task (#2274): BUG: Thumbnail and caching ( Owner: cxallan ) → Task (#2071): BUG: Thumbnail Permissions ( Owner: cxallan ) → Task (#2038): BUG: Tag loading IMetadata ( Owner: jburel Remaining Time: 0 ) → Task (#2058): BUG: SecurityViolation when updating avatar ( Owner: jamoore Remaining Time: 0 ) → Task (#1798): BUG: SecurityFilter doesn't seem to be applied to ExperimenterAnnotationLink ( Owner: jamoore Remaining Time: 0 ) → Task (#2267): BUG: Plate thumbnails ( Owner: jburel ) → Task (#2195): BUG: Need group info in importer (Feedback 2370) ( Owner: bwzloranger ) → Task (#2063): BUG: NPE when setPixelsId() is called on an unreadable Pixels ID ( Owner: cxallan Remaining Time: 0 ) → Task (#2202): BUG: Importer has inconsistant group login dialog and behaviour ( Owner: bwzloranger Remaining Time: 0 ) → Task (#2497): BUG: IUpdate.indexObject broken for objects not in current group ( Owner: jamoore Remaining Time: 0 ) → Task (#1704): BUG: ISession.update is broken wrt defaultPermissions and perhaps other ( Owner: jamoore Remaining Time: 0 ) → Task (#1779): BUG : permissions of non-group system types is influenced by current group ( Owner: jamoore Remaining Time: 0 ) → Task (#1940): Allow users to login to public groups ( Owner: jamoore Remaining Time: 0 ) → Task (#2040): Add group support back into importer ( Owner: bwzloranger Remaining Time: 0 ) → Task (#2215): Add group icons/text to importer ( Owner: bwzloranger Remaining Time: 0 ) → Task (#967): Add defaultGroup field to Session table. ( Owner: jamoore Remaining Time: 0 )

Change History (21)

comment:1 Changed 15 years ago by jburel

GUI

will be presented. User will then have ability to switch to another group.

user able to see data of other users if the status of the group is "visible".

comment:2 Changed 15 years ago by jmoore

Cc bwzloranger atarkowska added

comment:3 Changed 15 years ago by jmoore

Description modified (diff)

From Sep 04 conf call:

 - permissions (Brian)
  -- private space, and a single or multiple public space?
  -- fine for vast majority of people
  -- private space gets rid of PI concept. perhaps via 600
  -- Donald: no private space?
  -- Brian: can you add more than one boss?
  -- Chris: how does this work with the setting a group to public from private?
  -- quickest option:
   --- uesr only in one group
   --- turn group private or public
   --- server ensures graph-consistency, both group_id and permissions
   --- PI or admin can move group to public
   --- UI: need to know group prespective (don't show data)
   --- ADMIN UI: need to allow upgrade to group visible. can't downgrade
    ---- offering upgrade button
    ---- sending email to all the users??
  -- next stage: either private space or multiple groups.
  -- really a testing issue: moving the component/client tests.
   --- get them green
   --- then modify them as expected

comment:4 Changed 15 years ago by jmoore

Description modified (diff)

comment:5 Changed 15 years ago by jmoore

Description modified (diff)

comment:6 Changed 15 years ago by jmoore

Description modified (diff)

comment:7 Changed 15 years ago by jmoore

Description modified (diff)

comment:8 Changed 15 years ago by jmoore

Description modified (diff)

comment:9 Changed 15 years ago by jmoore

Milestone changed from OMERO-Beta4.1 to OMERO-Beta4.2

Moving as discussed conf call 2009-09-18

comment:10 Changed 14 years ago by jmoore

Description modified (diff)

comment:11 Changed 14 years ago by jmoore

Description modified (diff)

comment:12 Changed 14 years ago by jmoore

Description modified (diff)

comment:13 Changed 14 years ago by jmoore

Description modified (diff)

comment:14 Changed 14 years ago by jmoore

Description modified (diff)

comment:15 Changed 14 years ago by jmoore

Brief discussion on write with Ola, Josh, Jean-Marie:

want to keep things simple for the user
the solution above allows setting on group
but do we need to let user change write-ability?
e.g. "make container read-only or full-access"
J-M: dangerous except for annotations to let change
- Josh: but Image.description or Shape.color?
"rwrwrw" not a good idea. But could have a PUBLIC group (with guest)
for options of groups: rw, rwr, rwrw
configurable initial groups? Maybe
users in more than one group? Yes
more than one PI? Yes
G/E/P/D/I? Yes, but G is strict (security based), E isn't (could be mixed)
- Need a way to restrict owner-mixing? Maybe (would be LINK permission)
- Perhaps handle it via best-practice
- Possible to distinguish hierarchies and annotations? Hard.
- Possibly use color codes per user initially.
- If user filtering, pass back "friend" user list of who was queried?

comment:16 Changed 14 years ago by jmoore

Cc jmwallach@… added

comment:17 Changed 14 years ago by jmoore

Description modified (diff)

comment:18 Changed 14 years ago by jmoore

Marked tickets #1072 and #1171 as duplicates.

comment:19 Changed 14 years ago by jmoore

Description modified (diff)

comment:20 Changed 14 years ago by jmoore

Description modified (diff)

Maked #203 as a duplicate of this ticket.

comment:21 Changed 14 years ago by jmoore

Description modified (diff)

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

Download in other formats: