Actions
Idea #3171
closed
[API] Modify permission model to allow users to see a subset of other users, according to group permissions/membership.
Start date:
08/20/2014
Due date:
Story points:
2.0
Description
Currently, we have
| Permission links | Behavior |
No permission path from userA to userB |
userA can see selected attributes of userB via users#index (as needed by the Sharing tab). |
{userA} can_read {groupG} can_read {userB} |
userA can read anything userB can read. |
This should change to
| Permission links | Behavior |
No permission path from userA to userB |
userA cannot see that userB exists.userB's uuid might appear in objects, butGET /users/userB will yield 404GET /users will not mention userB) |
{userA} can_read {groupG} can_read {userB} |
userA can see selected attributes of userB via users#index (as needed by the Sharing tab). |
{userA} can_read {groupG} can_manage {userB} |
userA can read anything userB can read. |
Implementation
- When generating the permissions graph in user.rb, follow only the permission links whose head_uuid is a group uuid or whose permission
nameis"can_manage". - The test cases involving "rominiadmin" might still work unmodified: the
testusergroup_can_manage_active_userlink hascan_managepermission. - Add test cases to demonstrate the new behavior, perhaps
- new link: testusergroup can_read spectator
- test: miniadmin user cannot read the owned_by_spectator specimen
- test: miniadmin user can get the spectator user record via index and get
- test: active user cannot get the spectator user record
Files
Updated by 
Updated by Radhika Chippada 
Updated by 
Updated by Anonymous
Actions