[Workbench] When showing a shared project, do not include "Home" in breadcrumbs.
#2 Updated by Tom Clegg almost 4 years ago
Updated version after meeting:
Given the following ownership hierarchy, where
A <--- B signifies "B.owner_uuid==A.uuid":
system_user <--- user_A <--- project_A_shared <--- user_B <--- project_B_shared <--- user_C <--- project_C_shared <--- user_D <--- project_D_private <--- project_D_shared <--- project_D2_shared <--- user_I <--- project_I_privateAnd assuming:
- I am user_I
- I can read user_A and user_A's home project contents (e.g., I administer a group that user_A belongs to)
- I can read user_B (e.g., we are members of the same organizational group) but I cannot read user_B's home project
- I cannot read user_C at all (which implies I cannot read user_C's home project)
|When I view...||Breadcrumbs look like...||Notes|
|my own home project||Home (user_I)||
|project_I_private||Home (user_I) → project_I_private|
|user_A's home project||Home (user_A)||The only reason I see user_A's name in breadcrumbs is that it's part of the name of a project I can click/view.|
|project_A_shared||Home (user_A) → project_A_shared||(ditto)|
|project_B_shared||Shared projects → project_B_shared||"Shared projects" is just that literal string, and isn't clickable.
This is what "other people's projects" look like to regular (non-sysadmin, non-group-admin) users.
|project_C_shared||Shared projects → project_C_shared|
|project_D_shared||Shared projects → project_D_shared|
|project_D2_shared||Shared projects → project_D_shared → project_D2_shared|
If a non-project group appears in the ownership chain, display it but don't make it clickable. (Or, alternatively, confirm this situation is prevented by API server validations.)
Implementation¶The distinctions between the various cases aren't about whether a given "owner" object is current_user, but rather whether current_user can view that object as a project. In practice this is true IFF
- the owner is a group object which can be fetched, or
- the owner is a user object for which we can call arvados.v1.groups.contents (calling it with limit=0 might be the best way to check this).