Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.
Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #1783 (closed)

Opened 14 years ago

Closed 14 years ago

Last modified 14 years ago

Permissions : Sensible default permissions for initial groups

Reported by: jamoore Owned by: jamoore
Priority: minor Milestone: OMERO-Beta4.2
Component: Security Version: 4.1
Keywords: n.a. Cc: atarkowska, jburel
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: 0.0d
Sprint: 2010-03-19 (5)

Description

This ticket is a part of #1434.

Previously, all groups created via bin/omero db script were created with permissions -35 (rwr---). However, system and user should be -103 (rw----). What about "user" and "guest" (if it remains)?

ola 11:06
Josh: I wiped the db and script generated for me groups where (rwr-r-)
ola 11:07 
is this correct status?
josh moore 11:08 
Ola: hmm...... i might not have modified data.vm to create private groups. what do you think should happen?
ola 11:09 
I don;t know any reason why predefined groups should be public
ola 11:09 
if security sys. required that is fine, but if not I would vote after rw----
09:42
othewise all data imported by admin is public
josh moore 11:09 
ola: definitely not required. Just a question of user expectation.
09:59
system should be rw----, yes.
10:04
agree. I was thinking more about "CHANGE_ME"
ola 11:10 
we might think about guest having rwr-r-
josh moore 11:10 
guess will never be able to import, so it's not really critical. in fact, guess may no longer need a group. i'll have to think about it.
ola 11:12 
guest - fair enough. If there is flag in vm what defines then I would reduce to rw---- and if people need they can change configuration

Change History (10)

comment:1 Changed 14 years ago by jmoore

Note: this is also related to #1784. For scripting, original files must be visible (in the current implementation).

comment:2 Changed 14 years ago by jmoore

  • Sprint set to Sprint 2

comment:3 Changed 14 years ago by jmoore

  • Sprint 2010-02-19 (3) deleted

comment:4 Changed 14 years ago by jmoore

(In [6278]) see #1783 - Making CHANGE_ME private by default (again)

comment:5 Changed 14 years ago by jmoore

  • Sprint set to 2010-03-19 (5)

comment:6 Changed 14 years ago by jmoore

  • Remaining Time set to 0.1

comment:7 Changed 14 years ago by jmoore

  • Status changed from new to assigned

comment:8 Changed 14 years ago by jmoore

As a part of #1794, it was decided that the "user" group would be initial used as the "common pot" of objects which are globally visible. Therefore, the default group permissions are:

  • system: private, so administrators' work is not seen
  • user: public, since there is special handling to make it public anyway
  • guest: private, so that it doesn't show up on lists of "public" data where someone might want to login.

comment:9 Changed 14 years ago by jmoore

  • Remaining Time changed from 0.1 to 0
  • Resolution set to fixed
  • Status changed from assigned to closed

(In [6365]) fix #1783 - initial groups

comment:10 Changed 14 years ago by jmoore

(In [6374]) see #1783 - adding to SQL and fixing one mistake

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.68346 sec.)

© 2000-2014 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 3.0 Unported License
OME source code is available under the GNU General public license or through commercial license from Glencoe Software

We're Hiring!