Datasets visible to all users (even when marked 'private')

ErwinKomen / RU-passim

0 stars 0 forks source link

Datasets visible to all users (even when marked 'private') #748

Closed shariboodts closed 2 months ago

shariboodts commented 2 months ago

Currently datasets are visible to all users, even when marked 'private'. Please change so that only datasets marked 'public' are visible to all users. Datasets marked 'private' should only be visible to the person who created the dataset in question.

ErwinKomen commented 2 months ago

Implementation

Dataset listview
1. Url is dataset/private/list, but pointing to CollectionListView with prefix priv
2. Is the problem in adapt_search() for the priv??
  1. Yes it is: there is no (restrictive) else defined after checking whether user is in app_editor group
  2. Added a default restriction to publ for this situation

Results: works correctly now.

shariboodts commented 2 months ago

I checked this issue from my 'regular user' account and have noticed:

Visibility works correctly now: I can only see public datasets.
When I click on MyDatasets in MyPASSIM, I go to a list view with all public datasets, not a list view of my own (public+private) datasets.

ErwinKomen commented 2 months ago

When I click on MyDatasets in MyPASSIM, I go to a list view with all public datasets, not a list view of my own (public+private) datasets.

That's not true. When I log in with your username, "MyDatasets" leads me to public + private datasets.

shariboodts commented 2 months ago

Wanneer ik inlog met shariboodts_user (een gewone user, zonder speciale rechten), zie ik enkel public datasets, niet mijn eigen datasets (2 - ik heb er net een nieuwe gecreëerd om het te testen).

ErwinKomen commented 2 months ago

Yes, I see now. You're right. I only allowed public datasets for non editors. That was wrong...

Implementation

Users-only may see:
1. their own private + public, if nothing else is specified
2. Their own private ones, if scope is priv
3. Public ones, if scope is publ (or team - which should have no other effect)

Private dataset viewing

I had not yet addressed the visibility of the details view of private datasets. That should be changed too, in accordance with:

... only datasets marked 'public' are visible to all users. Datasets marked 'private' should only be visible to the person who created the dataset in question.

When a user tries to see something that is private to someone else, need to make sure that permission is set to false
Handled that in CollAnyEdit method add_to_context()