Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.
Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #8277 (closed)

Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

Adjust all permissions per user on read

Reported by: jamoore Owned by: jamoore
Priority: critical Milestone: OMERO-4.4
Component: General Version: n.a.
Keywords: n.a. Cc: jburel, wmoore
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: 0.0d
Sprint: 2012-04-10 (12)

Description (last modified by jmoore)

Permission objects which are returned along with data graphs should be adjusted in order to reflect the capabilities of the current security context. For this implementation, the permission values on the actual rows will be ignored, which is inline with the overall story (#2874).

This work includes:

  • Add methods canLink and canEdit (DONE)
  • Add the call context, the event context, and the client/session object to the details of all objects. (DONE)
  • Make the default object factory for permissions return a non-editable version (DONE)
  • Perform the adjustment before returning any objects. Unloaded objects will not have permission objects, and therefore will need to be reloaded by the user.

See: https://www.openmicroscopy.org/site/community/minutes/minigroup/2012.03.12-groupperms

Change History (20)

comment:1 Changed 10 years ago by jmoore

  • Status changed from new to accepted

comment:2 Changed 10 years ago by jmoore

  • Description modified (diff)

comment:3 Changed 10 years ago by jmoore

  • Description modified (diff)

Updating after discussion in devteam about the choice between canAnnotate(event, call) and just canAnnotate()

comment:4 Changed 10 years ago by jmoore

  • Description modified (diff)

comment:5 Changed 10 years ago by jmoore

  • Description modified (diff)
  • Remaining Time changed from 1.0 to 0.75

comment:6 Changed 10 years ago by jburel

  • Sprint changed from 2012-03-27 (11) to 2012-04-10 (12)

Moved from sprint 2012-03-27 (11)

comment:7 Changed 10 years ago by jmoore

  • Remaining Time changed from 0.75 to 0
  • Resolution set to fixed
  • Status changed from accepted to closed

Done in my 2874-chmod branch.

comment:8 Changed 10 years ago by jmoore <josh@…>

(In [d4b9f52dabc353309c83f0a7bda935d3761a30cb/ome.git] on branch develop) Add Immutable permissions (See #8277)

Once permissions are transferred to the client, they should
no longer be mutable to prevent false expectations.

comment:9 Changed 10 years ago by jmoore <josh@…>

(In [07e2e2d682e5c151235896e7386787350b4e46bb/ome.git] on branch develop) Change immutable implementation (See #8277)

Ice uses the default constructor of the PermissionsI
objects in a factory to first create objects and only
then does it fill in the fields, therefore it's not
possible to use the same ImmutablePermissionsI strategy
as done for internal permissions.

comment:10 Changed 10 years ago by jmoore <josh@…>

(In [43e5858292a800e3bc30924874950db68e6982fa/ome.git] on branch develop) PermissionsI.immutable for all SDKs (See #8277)

comment:11 Changed 10 years ago by jmoore <josh@…>

(In [e1e45adc6eb833c447cb32db9be26d5756a19255/ome.git] on branch develop) Passing chmod tests (See #8277, #8278)

These are simple tests which already pass when there is not much data.
The intent is to remove the changing of each row (#8278) and then have
these fail until #8277 is implemented.

comment:12 Changed 10 years ago by jmoore <josh@…>

(In [c7794a500b77327dc93c8c2df67da6ad2b08409c/ome.git] on branch develop) Post-processing permissions via BasicACLVoter (See #8277)

comment:13 Changed 10 years ago by jmoore <josh@…>

(In [71433e22d763d5a3c0f5cb739b8eabb58526aaf5/ome.git] on branch develop) All permissions now modifid on read (Fix #8277)

Permission values stored in the database for non-group
objects are now ignored, and instead the current group
permissions are set on all objects at read time.

This also properly sets (and tests) the setting of:

  • details.getEventContext()
  • details.getCallContext()
  • permissions.canAnnotate()
  • permissions.canEdit()

comment:14 Changed 10 years ago by jmoore <josh@…>

(In [d4b9f52dabc353309c83f0a7bda935d3761a30cb/ome.git] on branch develop) Add Immutable permissions (See #8277)

Once permissions are transferred to the client, they should
no longer be mutable to prevent false expectations.

comment:15 Changed 10 years ago by jmoore <josh@…>

(In [07e2e2d682e5c151235896e7386787350b4e46bb/ome.git] on branch develop) Change immutable implementation (See #8277)

Ice uses the default constructor of the PermissionsI
objects in a factory to first create objects and only
then does it fill in the fields, therefore it's not
possible to use the same ImmutablePermissionsI strategy
as done for internal permissions.

comment:16 Changed 10 years ago by jmoore <josh@…>

(In [43e5858292a800e3bc30924874950db68e6982fa/ome.git] on branch develop) PermissionsI.immutable for all SDKs (See #8277)

comment:17 Changed 10 years ago by jmoore <josh@…>

(In [e1e45adc6eb833c447cb32db9be26d5756a19255/ome.git] on branch develop) Passing chmod tests (See #8277, #8278)

These are simple tests which already pass when there is not much data.
The intent is to remove the changing of each row (#8278) and then have
these fail until #8277 is implemented.

comment:18 Changed 10 years ago by jmoore <josh@…>

(In [c7794a500b77327dc93c8c2df67da6ad2b08409c/ome.git] on branch develop) Post-processing permissions via BasicACLVoter (See #8277)

comment:19 Changed 10 years ago by jmoore <josh@…>

(In [71433e22d763d5a3c0f5cb739b8eabb58526aaf5/ome.git] on branch develop) All permissions now modifid on read (Fix #8277)

Permission values stored in the database for non-group
objects are now ignored, and instead the current group
permissions are set on all objects at read time.

This also properly sets (and tests) the setting of:

  • details.getEventContext()
  • details.getCallContext()
  • permissions.canAnnotate()
  • permissions.canEdit()

comment:20 Changed 10 years ago by jmoore <josh@…>

(In [4356899660f19858c66c1dc2b37d70627203a9df/ome.git] on branch develop) Fix BasicACLVoter.postProcess for unload objs (See #8277)

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.70943 sec.)

We're Hiring!