search

STARIONGROUP / COMET-IME-Community-Edition

The Concurrent Design Desktop Application and Excel Integration compliant with ECSS-E-TM-10-25 Annex A and Annex C
https://www.stariongroup.eu
Other
22 stars 5 forks source link

[bug] [CDF] Model participants appear with missing person when using specific set of permissions #1322

Open JustinBourgois opened 5 months ago

JustinBourgois commented 5 months ago

A new person role called CDFTEAM was recently introduced on our server, which has most of the same permissions as Site administrator, but not quite (no account or permission management).

image

When a user connects with this role many participants in many models appear without a person associated to them, see below

image

image

[ { "classKind": "Participant", "domain": [ "9f48ef62-7890-4283-aa63-80206d042330" ], "excludedDomain": [], "excludedPerson": [], "iid": "4b6f80a5-6f09-4ead-a50a-821a4d571b22", "isActive": true, "modifiedOn": "2021-08-25T16:49:33.634Z", "person": "00000000-0000-0000-0000-000000000000", "revisionNumber": 1, "role": "603846ff-8180-404b-a254-1facb7ea80e6", "selectedDomain": "9f48ef62-7890-4283-aa63-80206d042330", "thingPreference": null } ]

I have not yet been able to figure out any logic behind which participants appear without a person. What my testing has revealed though is that the "Person" access right setting is partly responsible for this behaviour. Setting it to "modify" rather than "modify own person" for the CDFTEAM role fixes the issue. However, it's more complex than that, as the regular users, Concurrent Design Team Members, have the "Person" access right set to "modify own person" and the issue does not occur for them. So, it seems to be a certain combination of access rights that causes the issue.

lxatstariongroup commented 5 months ago

@samatrhea We have an edge case here:

Because of the fact that MODIFY_OWN_PERSON Access right is set on the Person classkind, the COMET webservice only allows the user to see persons that are a participant of an EngineeringModelSetup where the logged in user is (also) a Participant for. So the logged in user is not allowed to see Persons that are NOT a participant of an EngineeringModelSetup where the logged in user is also set as a Participant. This combination makes that all Participants for all models are visible, but not all Persons "connected" to those Participants, which leads to incomplete data (red exclamation marks) in COMET IME.