Property based search in AVU search should not show all results - not more than granted permission rights

[mstfdkmn]

Property based search in AVU search gives users (rodsuser) possibility to see other users’ all collection and data objects structure and name. To some extent this might be okay. But I think this is more than "needs to know principle". iCommands search by iquest doesn’t provide the same result. The iquest query works according to the granted access permissions.

Make the query based on the path parameter including a targeted user name:

See all the collections and data objects of the queried user. As seen, if the user who makes query has access right to any objects, those objects appear in a blue color and so that clickable:

You can see data objects as well:

However iCommands - iquest gives the results only for the objects that the query making user has access to.

iquest "%s/%s" "SELECT COLL_NAME, DATA_NAME where COLL_NAME like '%userName%'"

We think that extensive search options of Metalnx should work according to the access rights like what we have in other clients, i.e., iCommands. How do you evaluate this?

Note: Tested both in 4.2.8 - 2.4.0 and in 4.2.9 - 2.4.0 and the db is MySQL.

Thanks.

[mstfdkmn]

A minor point:

On this screen the column name "File Type" should be "Object Type" and the value "file" should be "data object" for the sake of consistency.

[korydraughn]

Please take a look at the following PR: https://github.com/irods-contrib/metalnx-web/pull/267

[korydraughn]

This issue can be closed due to #267.

[trel]

Ah, very nice.