search

chembl / curation-interface

This is repository to track all bugs and issues related to development of the curation interface
0 stars 0 forks source link

Support for user permissions. #91

Closed mnowotka closed 9 years ago

mnowotka commented 9 years ago

Not every user should be able to see and do everything and since we have authentication we can implement permissions. This requires some prior discussions / design. Questions are:

  1. What kind of permissions should be recognized?
  2. What kind of user roles should be defined?
  3. Which permissions should be assigned to which role?
ljbellis commented 9 years ago

Here are my thoughts: Someone simply adding a new compound (no split or merge) should be the most basic permission. Adding a new structure doesn't really affect anything that already exists. I would also suggest that adding a new compound record or synonym should also be at this level - mostly because if these additions were deleted, nothing else would be affected.

Someone merging or splitting compounds or records should require the next level of authentication.

Delete compounds/records should be the highest level.

These are just my thoughts. Feel free to discuss.

strets123 commented 9 years ago

This is by no means a finished plan but I am posting it to show what our thinking is for how the Oxford chemical registration system is going to work. I do not see this as involving large amounts of code as the django-guardian project helps a lot with object level permissions. I expect to have the first set of tests done by 23rd Jan.

User stories

Each project would have 3 permission levels to begin with

viewer

can view all compounds from projects they are a viewer on, can reference those compounds in batches in projects they are an editor of

editor

can register compounds, can register batches of compounds (from this or other projects that they are a viewer of)

admin

Can delete compounds and add users to the project

Compounds must be marked as public individually. A public compound can be viewed by all users and all users can register a batch of it - the same permissions as a viewer has on a project.

Implementation

MoleculeDictionary has one project Inchi key or other compound key is unique per project Blinded compounds can be registered to a single project without a structure based on business rules for a project (a set of custom fields for supplier ids etc) A base compound will be added or referenced for each substance in the project and that base compound will have the same project. Substances and compounds will be linked via the molecule hierarchy table as they are now except everything will have a molecule hierarchy for consistency. Substructure search will return both compounds and substances. Our plan is to tast this data model using django-guardian for the object level permissions.

mnowotka commented 9 years ago

In the simplest form permissions are now implemented.