Closed mtwestra closed 9 years ago
muloem
commented
9 years ago We start with the separation of the Data Deletion functionality in this issue. In subsequent issues we will create the relevant user management functions as defined on the product design page https://github.com/akvo/akvo-product-design/blob/master/FLOW/Features/3-RolesAndPermissions/TechnicalDesign/ListOfRolesandPermissions.md
muloem
commented
9 years ago Make sure you have two active users (one AdminUser and one RegularUser) defined and are able to login to a separate browser with each user. Also make sure you have a monitoring and non-monitoring survey that contains responses
Delete Data permission(execute AdminUser)
Users > Roles and Permissions tab.Add Role and define a role DataDeletionRoleDelete Data permission from the list as well as View Folders and View Forms permissions. Save the changesEdit for one of the existing roles. Delete Data should be included in the list of permissions.Delete Data permissionRegularUser go to the Data > Inspect Data tabFindDelete link is not visible in the Action columnEdit link for one of the responsesDelete button is not visible (or is grayed out?) at the top of the dialogue boxData > Monitoring tabDelete link is not visible in the Action columnView details on one of the entitiesDelete link is not shown in the Action columnAdminUser select Users > Dashboard users tab and edit the permissions of the RegularUser chosen in the pretest preparationRegularUser, refresh the browser and go to the Data > Inspect Data tabDelete link is visible in the action columnEdit link and verify that the Delete button is visible and/or clickable.Data > Monitoring tab and select the monitoring form.Delete link is shown in the Action columnView Details link and verify the Delete link is shown in the Action column in the popup box.
rumca
commented
9 years ago Most of the above test plan passes fine however there's an issue with viewing details on the data > monitoring tab for the Regular User (works for superAdmin users).
When a Regular User with the DataDeletionRole selects a monitoring survey on the data > monitoring tab and then selects view details a 403 is returned: GET http://uat1.akvoflow.org/rest/survey_instances?surveyedLocaleId=16929317 403 (Forbidden) further details Error: Access is Denied. Unable to identify object path or user
They can view & delete the individual forms on the data > inspect data tab so not quite sure what the problem is here? Maybe a similar config problem to earlier?
rumca
commented
9 years ago Issues resolved - closing :+1:
rumca
commented
9 years ago @iperdomo @jonase with release/1.8.5 (and presumably v1.8.4 though I thought it was working at the time) the only people that can currently delete data are super_admins. Regular users who have been assigned the DATA_DELETE permission see a 403 when they try and delete data:
Error: Access is Denied. Unable to identify object path or userNote that the delete option is however shown correctly.
rumca
commented
9 years ago 403 issue resolved and permissions now working as expected with release/1.8.5 (at least in the dashboard) :+1:
At the moment the situation in the user roles and permissions is this:
This is an unwanted conflation of functionalities.
Ideal situation: