If the public can see it, I should be able to see it when I'm logged in.

ArctosDB / arctos

Arctos is a museum collections management system

https://arctos.database.museum

60 stars 13 forks source link

If the public can see it, I should be able to see it when I'm logged in. #3659

Closed KyndallH closed 2 years ago

KyndallH commented 3 years ago

Issue Documentation is http://handbook.arctosdb.org/how_to/How-to-Use-Issues-in-Arctos.html

Is your feature request related to a problem? Please describe. I shouldn't be getting LESS information when I'm logged in than when I'm not logged in.

I shouldn't have to check everything to see if there is more information if I'm not logged in. If the public can see it, I should be able to see it when I'm logged in.

Describe what you're trying to accomplish

There are several places where this occurs. Currently, I ran into this issue when viewing projects.

When I'm viewing projects as a logged in Arctos user, all I see is me.

Yet, if I open an incognito window and view as the public would - there is much more information!

Describe the solution you'd like Fancy computer code.

Describe alternatives you've considered Open EVERYTHING I do in Arctos in an Incognito window to double check I'm not missing something.

Priority Today, middle of the road.

dustymc commented 3 years ago

https://github.com/ArctosDB/arctos/issues/2616

https://github.com/ArctosDB/arctos/issues/2577

And some others I'm sure.

This is a common request, I don't quite know how to do it. Requests would need to somehow pull from one node (which contains encumbered data) for "your" records, and another (which contains only public data) for other records, somehow allow edit access only to "yours," etc. None of that seems technically implausible, but I think it's significant development. Maybe a more API-centric approach (https://github.com/ArctosDB/arctos/issues/2745) will open up possibilities.

mkoo commented 3 years ago

I think we should consult with PG experts, maybe as part of TACC audit? or even a specific consultation for issues potentially impacted by or on VPD

dustymc commented 3 years ago

Some outside consultation would be extremely useful, but I'm not sure database folks will have what we're looking for - RLS in PG is pretty straightforward, defining or using (or maybe something I haven't even thought of) is where I think the complexity lies.

I definitely won't say "no" to any consultation, even if it ultimately doesn't lead where we hoped!

Backing WAY up and thinking hard about how (perhaps even if) we cache, what the default Arctos UI looks like, whether the public and curatorial UIs share any code, etc., seems the ideal place to start this conversation, but that may also be more than we can handle at the moment.

Jegelewicz commented 3 years ago

Treat this the same way we do agents. You can see that other colls have records associated with the project, but you will only see details for those that you have edit access for.

dustymc commented 3 years ago

A realistic possibility:

make all queries via stateless API
allow operators to authenticate using their own credentials, of those of any pubuser... user (those credentials are already available to all users)

So for example from projects a user could query as themselves to find records they can control, or select (via some widget somewhere in the page) a different user to see what the public sees without ending their operator session.

Blocked by https://github.com/ArctosDB/internal/issues/60

dustymc commented 2 years ago

merge --> https://github.com/ArctosDB/arctos/issues/3694