Filter cohorts and concepts by permission (#2245)

chrisknoll commented 11 months ago

Enable WebAPI to do filtering based on READ permissions. The new property is called security.defaultGlobalReadPermissions.

chrisknoll commented 11 months ago

@rkboyce : please pull this branch and test on your local environment.

rkboyce commented 11 months ago

All of the following tests passed:

Configuration 1:

WebAPI: false</security.defaultGlobalReadPermissions>
Atlas: configLocal.enablePermissionManagement = true;

A test user with the following roles:

Atlas users
Moderator
Source user (<some source>)
admin
cohort creator
cohort reader
concept set creator
public
<user specific role>

A test user with the following roles but who does not have the permissions that follow the listed roles:

-- Roles
Source user (<some source>)
cohort creator
concept set creator
public
<user specific role>

-- The user does not have these permissions 

              'conceptset:*:get',
              'conceptset:*:expression:get',
              'conceptset:*:version:*:expression:get',             
        --
              'cohortdefinition:*:get',
              'cohortdefinition:*:info:get',
              'cohortdefinition:*:version:get',
              'cohortdefinition:*:version:*:get',        
        --        
          'cohort-characterization:*:get',
               'cohort-characterization:*:generation:get',
        'cohort-characterization:generation:*:get',
        'cohort-characterization:design:get',
        'cohort-characterization:*:design:get',
        'cohort-characterization:design:*:get',
        'cohort-characterization:*:version:get',
        'cohort-characterization:*:version:*:get',
        --
        'pathway-analysis:*:get',
        'pathway-analysis:*:generation:get',
        'pathway-analysis:generation:*:get',
        'pathway-analysis:generation:*:result:get',
        'pathway-analysis:generation:*:design:get',
        'pathway-analysis:*:version:get',
        'pathway-analysis:*:version:*:get'
        --
        'ir:*:get',
        'ir:*:copy:get',
        'ir:*:info:get',
        'ir:*:design:get',
        'ir:*:version:get',
        'ir:*:version:*:get'
        --      
        'estimation:*:get',
        'estimation:*:copy:get',
        'estimation:*:download:get',
        'estimation:*:export:get',
        'estimation:*:generation:get',
        'comparativecohortanalysis:*:get', -- might only apply to older versions of Atlas/WebAPI
        --
        'prediction:*:get',
        'prediction:*:copy:get',
        'prediction:*:download:get',
        'prediction:*:export:get',
        'prediction:*:generation:get',
        'prediction:*:exists:get',
        'plp:*:get' -- might only apply to older versions of Atlas/WebAPI

Test 1: expected behavior - filtering of listed entities based on READ permissions by WebAPI

User logs in and can view all of the entities that the user has READ permissions to (concept sets, cohort definitions, characterizations, cohort pathways, incidence rates, estimation, prediction) - Passed

Test 2: ability to add READ/WRITE permissions to any entity that the user has WRITE permissions to

User creates an entity or opens an existing entity that they have WRITE permissions for and can add READ/WRITE permissions to that entity for another user. The other user will be able to view (if given READ permissions) and edit (if given WRITE permissions) - Passed

Test 3: ability to remove READ/WRITE permissions to any entity that the user has WRITE permissions to

User opens an existing entity that they have WRITE permissions for and can remove the READ/WRITE permissions to that entity for another user. The other user will not be able to view (if READ permissions are removed) nor edit (if WRITE permissions are removed) that entity - Passed

OHDSI / WebAPI

Filter cohorts and concepts by permission (#2245) #2301

Configuration 1: