Open Woseseltops opened 1 week ago
There are two view-dataset permission:
Can view dataset: can_view_dataset
View dataset: view_dataset
Before Django 2.1 there was no built in view-permission (https://docs.djangoproject.com/en/5.0/releases/2.1/#what-s-new-in-django-2-1). We made view-permission ourselves but also let Django make the built in ones. This all led so this confusion. See #946 for more on this.
I revised the permissions of the user that reported the error to make sure she has both of the view permissions.
The original code that was testing this was not specific for a particular dataset.
Not sure if related to this, she was not in group Editor, but was in group Researcher and Publisher.
Some of the permissions are from the group. (e.g., check the access to the specific pages in Admin. There it's per group.)
And many permissions are tested inconsistently.
My advise would be to remove the permission with codename can_view_dataset
and leave the permission with codename view_dataset
.
I think this involves the following steps:
assign_perm
and get_object_for_user
function callsDo you agree, @susanodd @Woseseltops @Jetske ?
I agree with this, but I did not want to do this myself. We don't know how some users got the original permissions in the first place. And to "grab" the correct permission object is not necessarily the correct object.
Some of the "lookup" (internal, code that we did not write) searches on matches of "view dataset" (akin to "LIKE") which sometimes matches and sometimes does not. In the past I explicitly did this locally to modify said permissions, but the queries on the permissions tables did not necessarily work correctly. -- WRITING THIS FROM MEMORY) This was back when we were going from Django 1.11 to Django 4.2.
Seer PR #1282
@vanlummelhuizen that sounds like a good solution. I remember changing everything to 'can view dataset' because 'view dataset' was not allowed anymore by Django probably due to the change in 2.1, so sorry for creating all this confusion. If Django allows this I approve to change it back.
Situation as I write this:
What we really want to know is whether the user can view the dataset. @susanodd changed it to
view_dataset
before, but that didn't work for Divya. There are two theories for solutions (both by @susanodd ), they might both be correct.view_dataset
butcan_view_dataset
.I'd like to use this issue to find out what is true and what isn't (perhaps using a test account). Once we know, we can change the permission name to something that actually makes sense.
Related issues: