Closed rosibaj closed 3 years ago
@rosibaj
If the file is access.controlled, and the file size is < 1gb , and the user must have DACO.read to be enabled. (tooltip over 1gb)
- does this imply that if it's under 1gb and is controlled
there is no DACO check?Verify that the API returns this response correctly (empty response if no access to the file).
are the permissions based on release_stage
? Just need to know what I need to edit for testing this.@kcullion just looping you in here because you're the design hero. ^
@ciaranschutte @rosibaj maybe this 401 page would cover it? https://zpl.io/aBKd1l0
Maybe in this case it could also say, or login if you have program access
(if we want to customize that)
NOte: this page has already been built
@ciaranschutte sorry i missed your comment before.
If user is logged in, and the file.access is controlled, and the user does NOT have DACO, then the downlead button is disabled.
@rosibaj just to clarify, they will only see links to the file entity pages in the file repo table that they have access to right? So they only see this 401 page if they logout and go to that link?
@ciaranschutte @kcullion ive confirmed wiht Jon, we should show the 404
UI page in this case.
@kcullion to answer your question, yes a user should only see links for files they can access. this would happen if
We don't want to show a 401 authorization page, as this this file shouldnt "exist" for a user that doesn't have permission. in the case of crawling for ids, this would give information away we dont want to and the 404 is the right choice to prevent that.
@rosibaj thanks! Ok, I think the 404 page was built too, in case @ciaranschutte wasn't involved with that
Tested April 15 in QA:
File Repo is source of truth on this one. If you can see it in file repo you can see the page. There are still filtering bugs from arranger that have been referenced previously. https://github.com/icgc-argo/platform-api/issues/364 https://github.com/icgc-argo/platform-api/issues/393 As far as frontend is concerned, we deal with an empty data response correctly
edit: unrelated
~~ auth fixed on dev but login is garbling urls eg.
https://platform-ui.dev.argo.cancercollaboratory.org/file/ffaa6aa2-a69f-56f4-bdfc-0a27d93fa98b%3FisOauth%3Dtrue#
because we have the file portion and an auth portion.
wrapping into this fix https://github.com/icgc-argo/platform-ui/issues/1802 ~~
Which users can see the page? Which users can download a file?
Entity pages are subject to access control:
For any entity page need to access the API to find out the permissions
API Response should be
access (i.e data returned)
ORNot found
If found, the file page should load data..
If not found, the page should say "not found". The file page should load (not crash) but say file not found.
[ ] Verify that the API returns this response correctly (empty response if no access to the file). We think that file responses. ARE filtered by permission.
[ ] If the file is access.controlled, and the file size is < 1gb , and the user must have DACO.read to be enabled. (tooltip over 1gb)
FOR Rosi's testing:
open
the downloads button is enabled.controlled
the downlead button is disabled.controlled
, and the user has DACO, then the downlead button is enabled.