-
Notifications
You must be signed in to change notification settings - Fork 486
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IP Groups: Define and enforce IP Group scope of permissions in application #1380
Comments
@scolapasta |
This is also true for explicit groups. |
…consideration in all code paths.
Validated by letting localhosts edit a dataset, viewing the dataset while not logging in, then removing the role assignment and trying to view the dataset again. On the second round, got redirected to the login page. |
@michbarsinai definitely we should merge them - is that a straightforward thing to do now? |
In speaking with Gustavo, there is a requirement that is unique to IP Groups: they cannot edit anything, change anything, effectively not write anything. Rather, this group's main purpose is view and access restricted files and unpublished dv's and ds. So, I will test permissions for this group accordingly. |
Issues I have seen with IP Groups that may or may not need fixing, depending on a design/functionality review:
I am restricting the scope of this ticket back to being ipGroups only. |
This came up in the 8/2 Community Call (https://docs.google.com/document/d/1FsXatbbq-F4qwD_w9dqkFXpr2Sd4MqScKevUcHLCVDY/edit). |
This also came up for Numeric Data Services were anyone using Harvard Library should be able to access their dataverse via IP. Another case is "licensed" data that the PI would like other institutions that subscribe to the data, to access via Dataverse (like Princeton, etc...) This would increase use of the data itself and bring traffic to Dataverse--both of which we want. |
While working on bug: Note that the inability to delete an IP group that has assignments is OK. It's just that the error message was misleading. Error message fixed in 2ee3fad. |
…Group,no ipGroup)x(API, UI) ) work as required
…g groups as well (might also address #3056?). Validated the logic of group containment by prohibiting groups from containing groups defined on unrelated dataverses. Added tests, and admin API endpoint for listing role assignments for a given role assignee.
…ed Access logic to support restricted files
…ject implemented. Additional fixes to logic of group containments and accessing of restricted files
OK! off to final QA, and then, hopefully, dev. |
The low level IP Groups infrastructure has been created but the application currently does not check the perms nor enable actions in the application based on them. The groups do appear in the user list in permissions but assigning to roles there or via API has no effect.
Also, there has been some discussion whether IP group permissions should be limited to viewing/downloading rather than writing.
The text was updated successfully, but these errors were encountered: