Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users with write permission cannot update system metadata #1475

Closed
laurenwalker opened this issue Dec 21, 2020 · 1 comment
Closed

Users with write permission cannot update system metadata #1475

laurenwalker opened this issue Dec 21, 2020 · 1 comment
Labels
bug Something isn't working
Milestone
2.16.0

Comments

@laurenwalker
Copy link
Member

laurenwalker commented Dec 21, 2020
edited
Loading

Step to reproduce:

  • Create a resource map, EML, and data object but only give yourself read and write permission on these objects, and make someone else the rightsHolder
  • Send a request to updateSystemMetadata() for one of these objects, with only the fileName value changed.
  • Notice a 401 error is returned that says you do not have CHANGE_PERMISSION permission.

Proposed changes
I think we should allow updates to the rest of the system metadata, particularly the fileName and formatId, to anyone that has write permission. I am guessing we have chosen to deny all system metadata updates to users without changePermission for simplicity, but now that we are adding access policy editors and file name editors to MetacatUI, this issue is going to pop up a lot.

MetacatUI will have to start restricting renaming to only those with changePermission, which seems overkill. OR, it will have to perform an entire object update() just to rename the file (which is actually a loophole in which the user could change the access policy anyway... see #1450)
@laurenwalker laurenwalker added the bug Something isn't working label Dec 21, 2020
@laurenwalker laurenwalker mentioned this issue Dec 21, 2020
Closed
3 tasks
taojing2002 added a commit that referenced this issue Jan 7, 2021
@taojing2002
Check if the access rules changed. See ticket:
5ebf8d7 
#1475
@taojing2002 taojing2002 added this to the 2.14.1 milestone Feb 12, 2021
@taojing2002 taojing2002 modified the milestones: 2.14.1, 2.15.0 Mar 4, 2021
@taojing2002 taojing2002 modified the milestones: 2.15.0, 2.16.0 Mar 24, 2021
@taojing2002
Copy link
Contributor

The change of the system metadata may involve the modification of access rules, which need the changePermssion. So we have to do this way:

  1. If there are no changes on access rules, write permission is required.
  2. If there are some changes on access rules, change permission is required.

We need to develop code to compare access rules.

taojing2002 added a commit that referenced this issue Oct 11, 2021
@taojing2002
Let users to update system metadata if it has the write permission an…
66700d4 
…d doesn't change access control rules in the system metadata.

If the access control rules were modified, users should have the change permission.
Ref:#1475
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
2.16.0
Development

No branches or pull requests
2 participants
@laurenwalker @taojing2002