search

NCEAS / metacatui

MetacatUI: A client-side web interface for DataONE data repositories
https://nceas.github.io/metacatui
Apache License 2.0
41 stars 26 forks source link

IsAdmin (enable functionality based on user’s membership to admins groups) #1815

Closed vchendrix closed 3 years ago

vchendrix commented 3 years ago

Describe the feature you'd like We are requesting a feature that allows us to configure repository administrator groups (e.g. ess-dive-admins, ) that can turn on/off capabilities in the user interface. Some of the capabilities that we would like toggled based on repository adminisitrator membership are:

  1. Permisssions panel - public/private data package toggle
  2. Permissions panel - ability to remove default access policy groups - (it is understood that this functionality may be tied other enhancements outside of this)
  3. Settings > Groups - Add new group button
  4. Other funtionality?

Is your feature request related to a problem? Please describe. In ESS-DIVE, we have not enable the permissions panel yet due to the fact that we do not want registered users to be able to remove default access policies nor change public access of their data pakcages.

Additionally, since group name are unique across all of DataONE we would like to control group naming to be easily discernible as ESS-DIVE groups. Also, as we explore what a project is in ESS-DIVE we would like to tie groups to projects.

Additional context The way we have currently implemented this is as follows. Please note that we have allowedtosubmit groups. However, I don't think we will necessarily need this.

config.js

MetacatUI.officialGroups = {
    adminGroups: "adminGroups",
    allowedToSubmitDataGroups: "allowedToSubmitDataGroups"
};

/**
 * Determine if the user is the member of a configured admin group
 *
 * @param {Array} isMemberOf - an array of groups (subject strings)
 * @returns {boolean}
 */
MetacatUI.checkIfMemberOf = function (isMemberOf, chosenGroups) {
    // Get the chosen groups subjects
    var retrievedChosenGroups = MetacatUI.appModel.get(chosenGroups);

    // create a list of subject strings from the group objects
    //    "groupId" is the subject
    var userGroups = isMemberOf.map(function(x){return x.groupId;});

    // is the user's groups in the chosen groups?
    var userMemberOfChosenGroups = $(retrievedChosenGroups).not($(retrievedChosenGroups).not(userGroups));
    return (userMemberOfChosenGroups.length > 0);
};

/**
 * Determine if the user is allowed to submit data to this archive
 *
 * If no allowedToSubmitDataGroups are specified then the user is allowed to submit. If
 * allowedToSubmitDataGroups are specified the user may only be allowed to submit data if they
 * belong to one of the listed groups.
 *
 * @param user - a UserModel
 * @returns {boolean}
 */
MetacatUI.isAllowedtoSubmitData = function (user) {

    return (!MetacatUI.appModel.get(MetacatUI.officialGroups.allowedToSubmitDataGroups) ||
        MetacatUI.appModel.get(MetacatUI.officialGroups.allowedToSubmitDataGroups).length == 0) ||
        MetacatUI.checkIfMemberOf(
            user.get("isMemberOf"),
            MetacatUI.officialGroups.allowedToSubmitDataGroups);
};

AppConfig

   ...
    # mirrors groups allowed to submit in metacat.properties
    allowedToSubmitDataGroups: [
        "CN=ess-dive-admins,DC=dataone,DC=org",
        "CN=ess-dive-users,DC=dataone,DC=org",
    ],
    adminGroups: [
        "CN=ess-dive-admins,DC=dataone,DC=org"
    ],
  ...
laurenwalker commented 3 years ago

Thanks Val.

  1. Permisssions panel - public/private data package toggle
  2. Permissions panel - ability to remove default access policy groups - (it is understood that this functionality may be tied other enhancements outside of this) In ESS-DIVE, we have not enable the permissions panel yet due to the fact that we do not want registered users to be able to remove default access policies nor change public access of their data pakcages.

There are quite a few MetacatUI configuration options to control the permission panel. For example, it is already possible in MetacatUI to restrict non-admin users from removing certain permissions and/or to use the privacy toggle. If you look at the configuration documentation, you will see the full list of options. Take a look at allowAccessPolicyChangesDatasetsForSubjects and hiddenSubjectsInAccessPolicy. These take care of features 1 and 2, respectively.

All of the config options are documented there and I always list the new/changed configs in the release notes for each release. I hope this can help in the future so you don't miss out on using new features! With almost every new functionality we add to MetacatUI, there is almost always a corresponding config options that enables the MetacatUI admin to configure it off or restrict it only certain users.

We currently don't have the ability to restrict dataset submissions to an allowedtosubmit group, other than in Metacat. I will make a separate GH issue for that feature to track that functionality, specifically.

We've decided to configure the list of subjects for each functionality/feature separately rather than have a master list of groups (such as a single admin group). This allows greater flexibility for different Metacat/UI repositories who may operate multiple levels of administrators and/or who want to configure each functionality separately. So your config file for MetacatUI may have many config options (e.g. allowAccessPolicyChangesDatasetsForSubjects) configured with your admin group subject. It will look repetitive, but ultimately it's more modular and flexible!

MetacatUI.checkIfMemberOf

We do have a function in MetacatUI like this already: hasIdentityOverlap, so you might look into using that instead. It checks if the current user is in any of the given groups or is an equivalent identity (e.g. mapped DataONE subject).

I'm going to close this issue since I think most of the points you brought up are already covered, except for the allowedtosubmit group, for which I'll create a new issue. Let me know if I missed anything else!