Project

General

Profile

Actions

Idea #2659

closed

[Workbench] Anonymous user can access publicly shared data using Workbench and curl

Added by Tom Clegg over 10 years ago. Updated almost 10 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Radhika Chippada
Category:
-
Target version:
Start date:
02/02/2015
Due date:
Story points:
2.0

Description

This has two parts:

  1. Implement a special "Anonymous" group and user
    • Created automatically, much like the "system group". uuid = xyzzy-j7d0g-anonymouspublic?
    • In permission checks, make sure anonymous_group_uuid is always in the list of readable groups.
    • This should produce the desired result if someone shares an object with the Anonymous group -- at least for users who are logged in.
  2. Provide a mechanism for clients to get "anonymous" privileges without using the usual OAuth/SSO procedure.
    • Add apiserver script to generate a token for the special anonymous user
    • Careful in API server not to let an anonymous user modify its own User object (or anything else normally allowed by permission system). Setting token scopes to ["GET /"] should be enough?
    • Add Workbench configuration item for "anonymous user token". (When this is nil, just use the current behavior.)
    • Workbench has to act a bit differently when deciding to show a login page, redirect to authentication procedure, or just proceed as anonymous user. E.g., bookmark a private page, log out, go back to the private page → show "not found or not authorized" page, and provide an option to log in.
    • Workbench should avoid showing "create new folder" links when operating in anonymous mode. (Probably need to fix some assumptions that "everyone can do X", and improve the "editable?" and "creatable?" methods so they return correct answers when current_user is the anonymous user.)

Expected behavior in Workbench:

Root url, no anon config Root url, anon config Top nav email/acct menu
Not logged in Redirect to /users/welcome Projects#index1 "Log in" button
Logged in, active=false, invited=false Redirect to /users/inactive Projects#index2 Logged-in user's email, with flag indicating "not activated". Click to see /users/welcome
Logged in, active=false, invited=true Redirect to /user_agreements Projects#index3 Logged-in user's email, with flag indicating "not activated". Click to see /user_agreements
Logged in, active=true Projects#index Projects#index Logged-in user's email

1 Instead of "my projects", there is a notification panel saying "welcome to arvados" (same as the usual "please login" stuff on front page)

2 Instead of "my projects", there is a notification panel saying "your account is not yet activated" (same as the usual "inactive" page)

3 Instead of "my projects", there is a notification panel saying "please accept user agreements in order to activate your account" (link/button to /user_agreements)


Subtasks 1 (0 open1 closed)

Task #5125: Review branch: 2659-anonymous-share-projectsResolvedTom Clegg02/02/2015Actions

Related issues

Related to Arvados - Feature #4728: [SDKs] 'arv-get' should be able to do anonymous collection downloads using scoped token from "share" linkClosed12/05/2014Actions
Actions

Also available in: Atom PDF