Editors do not automatically get editor role for releases of their projects

[mdoering]

Camila is the creator of a project, but does not see the private toggle switch to publish the release.

[camiplata]

I can't see the toggle yet

[mdoering]

what is the link please?

[mdoering]

If it was on DEV, the UI wasnt updated. I just did.

[mdoering]

@camiplata if its still not there please reopen

[camiplata]

I cleaned the cache but it Is not visible yet. (I don't have permits to reopen an issue)

link to my test release: https://www.dev.checklistbank.org/dataset/264658/about

[mdoering]

@thomasstjerne could you please look into this?

[camiplata]

I would like to add that the problem is not only the toggle, is about all the features that needs editor rights. I can't see the issues, check duplicates, edit metadata among others. I'm the editor of the project but have no rights over the releases.

[DianRHR]

I have the same problem. I have a project , made a release but can't go further. The id of my release is 265170. https://www.dev.checklistbank.org/dataset/265170/about
And Camila helped me making the xrelease, but still can't get the issues or duplicates either in the release or the xrelease.

[thomasstjerne]

@mdoering I think there is a backend adjustment needed here. I would expect that any editor of a project would automatically have the editor role for any release of that project. As far as I can see, @DianRHR does not have editor roles for any releases, not even those that she triggered herself: https://www.dev.checklistbank.org/dataset?editor=643&limit=50&offset=0&origin=release&origin=xrelease&reverse=false

[mdoering]

That is not expected, for all releases one has to check with the project, not the release. Otherwise we would have to change all releases each time the project rights change

[mdoering]

see https://github.com/CatalogueOfLife/backend/issues/983

[thomasstjerne]

The user endpoint https://api.dev.checklistbank.org/user/me has an editor array (see below) Would it be possible to fill releases into that from the backend by a DB join? The frontend auth simply scans that array for the datasetkey to see if the user has access

{
    "key": 100,
    "username": "username",
    "firstname": "Thomas Stjernegaard",
    "lastname": "Jeppesen",
    "email": "email@email.org",
    "orcid": "0000-0003-1691-239X",
    "country": "DK",
    "roles": [
        "editor",
        "admin"
    ],
    "editor": [
        9847,
        9802
    ],
    "lastLogin": "2020-04-20T09:47:04.111592",
    "created": "2019-11-21T13:01:20.192964"
}

[mdoering]

Probably, let me see. It might become large in some cases. There is also a /user/dataset/{datasetKey} isAuthorized method that checks if the current user has read access for the given dataset. If we could use the method to verify dataset rights that would be much better as it keeps all logic in the backend then. Feasable?

[mdoering]

Also be aware that there is a reviewer field with dataset keys on the user object that should also have read access to these datasets. Viewing a private release and seeing its duplicate should be possible. Just not applying any changes. The backend will guard this, so if forms are there for reviewers at least they cannot cause any harm.

This is also being taken into account in the above isAuthorized method.

[mdoering]

Finally there is also a /user/dataset/{datasetKey}/write method to check for write access.

[mdoering]

I have deployed a change to include release keys in the user objects retrieved from the /me resource - but from nowhere else!

If feasable I would still prefer the UI to consult the isReadable or isWritable methods which would encapsulate all the logic better.

[mdoering]

Does it work now with the new service?

[camiplata]

@mdoering Thanks for the clarifying that releases don't have the issues or duplicate options. Nevertheless the project is not showing duplicate and issues from the xrelease details on this issue

[camiplata]

Maybe we can check together how the release should look like in our next meeting as I think a might have misunderstood some of your comment above.

[mdoering]

I have deployed a new implementation to DEV which does work for me using @camiplata credentials. I can login and do see the COL releases and their duplicate search and metadata/private toggles.