IP Groups: Define and enforce IP Group scope of permissions in application

[kcondon]

The low level IP Groups infrastructure has been created but the application currently does not check the perms nor enable actions in the application based on them. The groups do appear in the user list in permissions but assigning to roles there or via API has no effect.

Also, there has been some discussion whether IP group permissions should be limited to viewing/downloading rather than writing.

[michbarsinai]

@scolapasta
Consider merge of permissionsFor and permissionsForUser in the permissionServiceBean

[kcondon]

This is also true for explicit groups.

[michbarsinai]

Validated by letting localhosts edit a dataset, viewing the dataset while not logging in, then removing the role assignment and trying to view the dataset again. On the second round, got redirected to the login page.
I didn't see the dataset metadata edit controls, but that might be another issue.

[scolapasta]

@michbarsinai definitely we should merge them - is that a straightforward thing to do now?

[kcondon]

In speaking with Gustavo, there is a requirement that is unique to IP Groups: they cannot edit anything, change anything, effectively not write anything. Rather, this group's main purpose is view and access restricted files and unpublished dv's and ds. So, I will test permissions for this group accordingly.

[kcondon]

Issues I have seen with IP Groups that may or may not need fixing, depending on a design/functionality review:

1. Can't assign a single ip address without specifying it as a range of 1: [1.1.1.1-1.1.1.1](not really a major issue, just making note of it here).
2. Can assign roles that have write permissions to IP groups, eg. admin, editor, though ipGroups are not supposed to perform these functions and in some cases, ie. edit buttons, can't see them due to check on is authenticated user.
3. Can't see unpublished dvs and ds in search results, though can browse directly to them.
4. Have not tried accessing restricted files since that currently is not working.
5. Can't delete ipGroup using the API if it has been assigned a role.
6. No visible indicator ip group membership is active when not otherwise logged in.
7. IP groups can assign roles if go to perms page directly. Not allowed according to above requirement.

I am restricting the scope of this ticket back to being ipGroups only.

[djbrooke]

This came up in the 8/2 Community Call (https://docs.google.com/document/d/1FsXatbbq-F4qwD_w9dqkFXpr2Sd4MqScKevUcHLCVDY/edit).

[sbarbosadataverse]

This also came up for Numeric Data Services were anyone using Harvard Library should be able to access their dataverse via IP. Another case is "licensed" data that the PI would like other institutions that subscribe to the data, to access via Dataverse (like Princeton, etc...) This would increase use of the data itself and bring traffic to Dataverse--both of which we want.

[michbarsinai]

While working on bug: Note that the inability to delete an IP group that has assignments is OK. It's just that the error message was misleading. Error message fixed in 2ee3fad.

[michbarsinai]

OK! off to final QA, and then, hopefully, dev.

[kcondon]

OK, basic ip group support is working. There are two remaining tickets, #3273, #3275. Closing this.