Closed mtwestra closed 9 years ago
We start with the separation of the Data Deletion
functionality in this issue. In subsequent issues we will create the relevant user management functions as defined on the product design page https://github.com/akvo/akvo-product-design/blob/master/FLOW/Features/3-RolesAndPermissions/TechnicalDesign/ListOfRolesandPermissions.md
Make sure you have two active users (one AdminUser
and one RegularUser
) defined and are able to login to a separate browser with each user. Also make sure you have a monitoring and non-monitoring survey that contains responses
Delete Data
permission(execute AdminUser
)
Users > Roles and Permissions
tab.Add Role
and define a role DataDeletionRoleDelete Data
permission from the list as well as View Folders
and View Forms
permissions. Save the changesEdit
for one of the existing roles. Delete Data
should be included in the list of permissions.Delete Data
permissionRegularUser
go to the Data > Inspect Data
tabFind
Delete
link is not visible in the Action columnEdit
link for one of the responsesDelete
button is not visible (or is grayed out?) at the top of the dialogue boxData > Monitoring
tabDelete
link is not visible in the Action columnView details
on one of the entitiesDelete
link is not shown in the Action columnAdminUser
select Users > Dashboard users
tab and edit the permissions of the RegularUser
chosen in the pretest preparationRegularUser
, refresh the browser and go to the Data > Inspect Data
tabDelete
link is visible in the action columnEdit
link and verify that the Delete
button is visible and/or clickable.Data > Monitoring
tab and select the monitoring form.Delete
link is shown in the Action columnView Details
link and verify the Delete
link is shown in the Action column in the popup box.Most of the above test plan passes fine however there's an issue with viewing details on the data > monitoring
tab for the Regular User
(works for superAdmin users).
When a Regular User
with the DataDeletionRole
selects a monitoring survey on the data > monitoring
tab and then selects view details
a 403 is returned: GET http://uat1.akvoflow.org/rest/survey_instances?surveyedLocaleId=16929317 403 (Forbidden)
further details Error: Access is Denied. Unable to identify object path or user
They can view & delete the individual forms on the data > inspect data
tab so not quite sure what the problem is here? Maybe a similar config problem to earlier?
Issues resolved - closing :+1:
@iperdomo @jonase with release/1.8.5 (and presumably v1.8.4 though I thought it was working at the time) the only people that can currently delete data are super_admins. Regular users who have been assigned the DATA_DELETE
permission see a 403 when they try and delete data:
Error: Access is Denied. Unable to identify object path or user
Note that the delete option is however shown correctly.
403 issue resolved and permissions now working as expected with release/1.8.5 (at least in the dashboard) :+1:
At the moment the situation in the user roles and permissions is this:
This is an unwanted conflation of functionalities.
Ideal situation: