Authenticated user not assigned to a group can add, edit, and delete repositories
|Assignee:||José Raddaoui Marín||% Done:|
|Category:||Access Control||Estimated time:||24.00 hours|
|Target version:||Release 1.4.0|
|Google Code Legacy ID:||atom-2332||Tested version:|
To reproduce this error:
1)Log in as an administrator and create a new user
2)Do not assign the new user to any groups; log out
3)Log in as the new (now authenticated) user
4)Navigate to repositories and select a repository
Authenticated user with no permissions will have the Edit, Delete, and Add New buttons available, and can successfully act on these options (e.g., delete a repository)
An authenticated user with no permissions should not be able to add, edit, or delete repositories.
System should require all authenticated users to be assigned to a group.
This same error is true of other users who belong to groups which should not require this function: e.g. a translator.
When viewing the page without authentication (ie, without logging in as a user), repositories can be viewed but not altered or deleted --> this is the expected behavior for the authenticated user as well.
[g] Legacy categories: Access control, Repository, User management
#11 Updated by José Raddaoui Marín almost 9 years ago
Hi, a few notes:
In order to make this possible I've added permissions for the repositories
- First of all, you must upgrade the database: php symfony tools:upgrade-sql
This will create a root repository and add it as a father of the existing repositories. This root repository shouldn't appear in any kind of repository list and shouldn't be accesible via URL.
- Going to Admin -> groups or users -> any user or group. You should see a new tab to manage permissions for archival institutions. This functionality works exactly as the authority record permissions. Permissions for an individual repository or for all the repositories may be assigned for the selected group/user.
- Then check if the new permissions are working as expected, also via URL.