paul121
commented
1 year ago One solution is to only allow mangers and data administrators to add assets to plans, but that feels overly restrictive and creates a lot of work for those people. The other solution I can think of (but still not perfect) is you can only add assets to a plan if you (a) created them or (b) are listed as an owner of that asset. Otherwise you can view
Yeah I think these are the two general options. There is no perfect solution here that doesn't require some form of "only allow some people to add assets to plans".
It makes me wonder if maybe this plan -> asset relationship should not be used to determine who can edit assets. Instead, that logic could be elsewhere (see #575). But perhaps still use this logic for logs?
Following issue #373 I’ve just realised a fundamental flaw in what I specified for the Research Lead and Research Editor roles, as these two users can add an assets that doesn’t belong to them to a plan they are associated with, and by adding it thereby give themselves permission to edit it. In terms of user behaviour I doubt this will happen maliciously, but I imagine it could happen in error.
One solution is to only allow mangers and data administrators to add assets to plans, but that feels overly restrictive and creates a lot of work for those people. The other solution I can think of (but still not perfect) is you can only add assets to a plan if you (a) created them or (b) are listed as an owner of that asset. Otherwise you can view.
Included here for discussion