[GeoNetwork-devel] Metadata permissions change service question

Hi

Can some explain this code:

if (us.getUserIdAsInt() == info.getSourceInfo().getOwner() && !isAdmin && !isReviewer) {
skip = true;
}

if (!update) {
dm.deleteMetadataOper(context, id, skip);
}

See https://github.com/geonetwork/core-geonetwork/blob/develop/services/src/main/java/org/fao/geonet/services/metadata/UpdateAdminOper.java#L105

DataManager:

if (skipAllIntranet) {
operationAllowedRepository.deleteAllByMetadataIdExceptGroupId(Integer.valueOf(metadataId), ReservedGroup.intranet.getId());
} else {
operationAllowedRepository.deleteAllByIdAttribute(OperationAllowedId_.metadataId, Integer.valueOf(metadataId));
}

See https://github.com/geonetwork/core-geonetwork/blob/develop/core/src/main/java/org/fao/geonet/kernel/DataManager.java#L2000

Looks to me a bit bizarre, unless I’m wrong seem working like this:

  • So if you’re the owner, but not admin or reviewer (skip=true): can’t change permissions to All/Intranet groups.
  • But if you’re not the owner (skip = false), the you can change the permissions for All/Intranet groups.

I guess this is not the purpose? Should not be checked something like this instead:

  • If the owner and admin or reviewer: allow to change All/Intranet permissions.

  • If NOT the owner, but an admin or reviewer in the group owner: allow to change All/Intranet permissions.

  • In any case when the user can’t change these permissions disable them in the UI?

Thanks and regards,
Jose García


GeoCat Bridge for ArcGIS allows instant publishing of data and metadata on GeoServer and GeoNetwork. Visit http://geocat.net for details.


Jose García
GeoCat bv
Veenderweg 13
6721 WD Bennekom
The Netherlands
http://GeoCat.net

Hi

I just checked in 2.10 and the UI has the privileges option not available for this UserAdmin profile. Apologies as looks like the issue happens in a custom project based on 2.9 (before Spring Security integration), when the metadata is created with an UserAdmin profile, as this option is available there.

Also from 2.10 with Spring Security, seem that the profiles are not incremental and UserAdmin, that doesn’t get by default the Editor/Reviewer permissions.

So this issue problem should happen only in versions previous to 2.10.

Regards,
Jose García

···

On Mon, Mar 3, 2014 at 12:29 PM, Jose Garcia <jose.garcia@anonymised.com> wrote:

Hi

Can some explain this code:

if (us.getUserIdAsInt() == info.getSourceInfo().getOwner() && !isAdmin && !isReviewer) {
skip = true;
}

if (!update) {
dm.deleteMetadataOper(context, id, skip);
}

See https://github.com/geonetwork/core-geonetwork/blob/develop/services/src/main/java/org/fao/geonet/services/metadata/UpdateAdminOper.java#L105

DataManager:

if (skipAllIntranet) {
operationAllowedRepository.deleteAllByMetadataIdExceptGroupId(Integer.valueOf(metadataId), ReservedGroup.intranet.getId());
} else {
operationAllowedRepository.deleteAllByIdAttribute(OperationAllowedId_.metadataId, Integer.valueOf(metadataId));
}

See https://github.com/geonetwork/core-geonetwork/blob/develop/core/src/main/java/org/fao/geonet/kernel/DataManager.java#L2000

Looks to me a bit bizarre, unless I’m wrong seem working like this:

  • So if you’re the owner, but not admin or reviewer (skip=true): can’t change permissions to All/Intranet groups.
  • But if you’re not the owner (skip = false), the you can change the permissions for All/Intranet groups.

I guess this is not the purpose? Should not be checked something like this instead:

  • If the owner and admin or reviewer: allow to change All/Intranet permissions.

  • If NOT the owner, but an admin or reviewer in the group owner: allow to change All/Intranet permissions.

  • In any case when the user can’t change these permissions disable them in the UI?

Thanks and regards,
Jose García


GeoCat Bridge for ArcGIS allows instant publishing of data and metadata on GeoServer and GeoNetwork. Visit http://geocat.net for details.


Jose García
GeoCat bv
Veenderweg 13
6721 WD Bennekom
The Netherlands
http://GeoCat.net


GeoCat Bridge for ArcGIS allows instant publishing of data and metadata on GeoServer and GeoNetwork. Visit http://geocat.net for details.


Jose García
GeoCat bv
Veenderweg 13
6721 WD Bennekom
The Netherlands
http://GeoCat.net

On 03/03/14 12:29, Jose Garcia wrote:

Hi

Can some explain this code:

*if (us.getUserIdAsInt() == info.getSourceInfo().getOwner() && !isAdmin
&& !isReviewer) {*
skip = true;
}

if (!update) {
dm.deleteMetadataOper(context, id, skip);
}

See
https://github.com/geonetwork/core-geonetwork/blob/develop/services/src/main/java/org/fao/geonet/services/metadata/UpdateAdminOper.java#L105

DataManager:

if (skipAllIntranet) {
operationAllowedRepository.deleteAllByMetadataIdExceptGroupId(Integer.valueOf(metadataId),
ReservedGroup.intranet.getId());
} else {
operationAllowedRepository.deleteAllByIdAttribute(OperationAllowedId_.metadataId,
Integer.valueOf(metadataId));
}

See
https://github.com/geonetwork/core-geonetwork/blob/develop/core/src/main/java/org/fao/geonet/kernel/DataManager.java#L2000

Looks to me a bit bizarre, unless I'm wrong seem working like this:

  * So if you're the owner, but not admin or reviewer (skip=true): can't
    change permissions to All/Intranet groups.

Yes, i reported the same issue against 2.8 in https://github.com/geonetwork/core-geonetwork/issues/324, and i need to recheck if it's still the same with 2.10/develop. Iirc it was discussed on irc at this moment, and there was a reasoning for the owner to not be able to publish its MD to All/Intranet, (cf https://github.com/geonetwork/core-geonetwork/blob/develop/web/src/main/webapp/xsl/metadata-admin.xsl#L49) but i still wasnt ok with that.

--
Landry Breuil
Mouton a 5 pattes du CRAIG