ri-pandey
commented
9 months ago @deepakduggirala I have undone the access-control constraints that I outlined above, and updated the code based on our talk yesterday. Here is an updated description:
- User roles can only open projects assigned to them, and read but not edit the project-dataset associations on those projects.
- Operator and admin roles can open any projects, and read as well as edit the project-dataset associations of any project.
In ticket #104 we introduced the constraint of checking for project-user association before fetching project-dataset associations, which is not necessary. I have removed this change, so that operators and admins can see project-dataset associations regardless of whether or not they are associated with the project. The constraint of user role only being able to call this endpoint for projects owned by them is still in place.
Description
The SearchAndSelect widget wasn't tested with the Project-Datasets pagination code. This PR adds the fixes adds the fixes necessary for that.
Related Issue(s)
Closes #104 and #114
If applicable, please reference the issue(s) that this PR addresses. If the PR does not address any specific issue, you can remove this section.
Changes Made
List the main changes made in this PR. Be as specific as possible.
I updated the DatasetSelect widget so that it only returns datasets that match a search if the current user is permitted to see the list of datasets assigned to the project (i.e., if user has an association for this project). Without this we would be running into cases where an operator cannot see the list of datasets assigned to a project, but they can still search for datasets in the DatasetSelect widget, and thereby see which datasets are assigned to this project. For this, the
/datasets/endpoint now checks for project-user association, if aproject_idparam is included in the query. If the param is included, and the requester does not have an association for the project, the/datasets/endpoint returns an empty array, which results in the DatasetSelect not showing any options to choose from.I also added an API endpoint to get a list of datasets assigned to the given project. This is used to determine which datasets should have a + / - icon next to them in the DatasetSelect widget (previously we were relying on the datasets stored inside projectFormStore to determine this, which we can't do anymore, since we now fetch datasets in batches for the pagination). This endpoint also only returns datasets belonging to a project if the requester has an association with the given project.
I also modified the
projects/:id/datasetsendpoint so that it doesn't drop all datasets before creating new associations for all of them (original behavior). Instead the endpoint now takes a list ofadd_dataset_idsandremove_dataset_ids. These list of datasets are added/removed in one transaction. I also changed this endpoint fromPUTtoPATCHsince it seemed more appropriate.Furthermore, the
ProjectDatasetsTablenow re-triggers datasets' retrieval when datasets are added/removed via the SearchAndSelect widget.I also made a change where we are no longer storing the paginated project-datasets inside projectFormStore, and instead storing them in the local state of
ProjectDatasetsTable(other places in the codebase that were using the projectFormStore are not affected). While this isn't strictly necessary, I decided to stick with this change.Finally, I fixed the DatasetSelect widget in CreateProjectStepper so that it now functions with the updated DatasetSelect.
The endpoints that I have modified should have all of their usages throughout the app accounted for.
Here is an updated review of how the Project-Datasets pagination and the DatasetSelect work based on different roles:
All the other changes in the PR are from reverting and then re-reverting tickets #104 and #114, meaning that those changes have already reviewed.
Checklist
Before submitting this PR, please make sure that: