Hypertopic / Cassandre

Diary for qualitative analysis
https://hypertopic.org/cassandre
GNU Affero General Public License v3.0
24 stars 7 forks source link

A reader should be able to unsubscribe from a memo #101

Closed benel closed 2 years ago

benel commented 4 years ago

One of my TA's student oddly shared one of her memo to me. The (small) problem I have is that it it misleads me into reviewing her diary. As an authorized reader of a memo, I would like to unsubscribe from it. But I cannot since I'm not a "contributor". Please note that this issue could also be related to legal aspects ("General Data Protection Regulation").

Technically, this could be done by using an _update function that would be specialized in changing "readers".

christophe-lejeune commented 4 years ago

I understand the situation may be uncomfortable for you (or for any user in such a situation).

Be aware that, when access is accidentally granted for one memo, you do not have access to the diary it belongs as a whole : you only have access to the memo in question (it was not the case with Cassandre previous versions). Such a behaviour (limiting the access of the memo you are a reader) is a good GDPR practice. Note that similar behaviours are currently being extended to other Cassandre features (including user activity and diary history).

In the scenario you describe, the only GDPR issue concerns the diary history, that you can read as a whole although you have access to only one memo in the diary. As indicated here above, this behaviour will be modified (when I have the time to do so) so that the diary history follows user rights. Note that I discussed this behaviour a few days ago with my University DPO (Data Protection Officer) : he was not worried about it. As a precaution, this feature has, however, been recorded as one of ULiege data treatment.

Apart from the diary history, accidentally granting a reader access is not a technical GDPR issue, but a human one. As you indicate, the owner of the memo gave access: the platform has no way to identify this access was granted by mistake.

Of course, you are not the first person facing such a situation. User mistakes concerning access occur quite frequently. Up to now, users have always managed to fix it themselves, without additional technical development. When a user is faced with a memo that s/he should not be allowed to read, s/he enters a comment asking this memo contributors to remove her (or him) from the readers. The situation is then quickly fixed.

Having in mind that, in your situation, the user is likely to leave the platform (and thus the access) in an undesired state, you may modify your rights (for this particular memo) directly in the database (as one of its admin). I agree that this specific workaround is quite inelegant.

My above comment puts things into perspective. However, I may consider your suggestion to use _update function. This is not the first time you mention this function (that I still do not know and thus do not use). As you can imagine, I do not like the idea to allow a reader to modify a document s/he is not allowed to modify (this would be a GDPR issue)... but perhaps a specialised _update function may prevent the reader to modify anything except her/his own subscription. I will have to investigate this.

christophe-lejeune commented 3 years ago

To allow a reader to unsubscribe from a memo, a special exception was introduced in the validation function: right management is escaped when the modification concerns only the `readers``field.

Side effects include that a logged user with no contributor right may be able to grant a private access for her/himself to a public memo. If such a side effect is of course undesired, it does not apply to any known usages (at this stage, no user publicly share memos on my instance of Cassandre).

I did not find more secure way to allow readers to unsubscribe (I do not think it is possible to create an exception ti the validation function dedicated to one specific update function). Do not hesitate to suggest any idea that could helps to provide a more secure/dedicated way to allow readers to unsubscribe.

benel commented 2 years ago

Thank you for this implementation (and sorry for not having tested it earlier).