Review and correct permissions for editing

DMPRoadmap / roadmap

DCC/UC3 collaboration for a data management planning tool

MIT License

102 stars 109 forks source link

Review and correct permissions for editing #220

Closed raycarrick-ed closed 7 years ago

raycarrick-ed commented 7 years ago

following on from https://github.com/DMPRoadmap/roadmap/issues/219 these permissions ned to be implemented in the plan creation/editing workflow.

raycarrick-ed commented 7 years ago

Addressed in https://github.com/DigitalCurationCentre/roadmap/commit/a66f6256dbe7d1c5aa2ccd7b79f50f506dde4a64

stephaniesimms commented 7 years ago

I can change my own permissions on a plan, which should not be the case. I just reduced my permissions from Co-owner to Read only. I can only reduce my own permissions, not reinstate the higher level of access (i.e., I can't return my permissions to Co-owner). As a Co-owner I should be able to invite others but I should not be able to change my own perms.

A separate issue described in #219 remains: with read only perms I still cannot view the plan (screenshot below). This is all apparently related to issue #219 still in progress and neither is fixed yet.

screen shot 2017-05-01 at 3 38 35 pm

sjDCC commented 7 years ago

This is what is currently on DMPonline live and test site (see screengrab). The original creator / owner of the plan shouldn't be able to edit their own role but can amend others. Is this how it presents for you too? capture

Stephanie, did you create the plan you're talking about. Perhaps you shared it with a secondary account you have since you described yourself as co-owner? It is confusing if co-owners reduce their own permissions as they wouldn't then have rights to change them back, but the original plan owner always would have the ability to do this.

stephaniesimms commented 7 years ago

yes @sjDCC , as a Co-owner I was able to reduce my own position which seems weird/undesirable (screenshot below). I think the solution is to prevent any user attached to a plan from editing their own role.

screen shot 2017-05-02 at 10 36 00 am

sjDCC commented 7 years ago

Agree. Opening this as new ticket with general MVP tag as not convinced it's essential for 0.3 release. If you're unsure about including it for MVP I'm also happy for it to be scheduled later.

stephaniesimms commented 7 years ago

@sjdcc Just to confirm: new ticket looks good. This is definitely a bug and should be part of MVP. A user should never be able to edit their own perms.