some "member" users are unexpectedly able to retract previously published content objects

[paregorios]

Expected behavior:

Users with only the Member role should be able to retract content that they created that is in pending state, but not content that is in published state.

Current behavior:

A user with only the Member role has recently retracted several objects that were in published state in order to modify them, instead of checking out a working copy. This workflow path should not be possible.

Steps to reproduce:

1. Login with an account that only has only a Member role.
2. Create and save a new place object.
3. Submit the place for review.
4. Logout
5. Login with an account that has the Reviewer role.
6. Navigate to the submitted place and publish it.
7. Logout
8. Login with the same Member account used in number 1, above.
9. Navigate to the place that was created in number 2 and published in number 6.
10. Select the "state" dropdown menu and choose "retract".
11. Note that the place is now in drafting state.

Desired behavior

• For an authenticated user with the Member role but without the Reviewer role:

  • the "retract" option on the "state" drop-down menu:
    • should only appear on content items created/owned by that user that are in pending state
    • should not appear on any content item that is in published state, regardless of who the creator or owner was
  • the send back option should never appear

• For an authenticated user with the Reviewer role, the "retract" option on the "state" drop-down menu:

  • the "retract" option on the "state" drop-down menu should always appear on content in published state
  • the "send back" option on the "state" drop-down menu should always appear on content in pending state

[alecpm]

I've changed the published state in the pleiades_entity_workflow to allow the reject transition, but not the retract transition. Previously, only the retract transition was allowed, which is definitely not what you wanted.

[alecpm]

I also made this change in the pleiades.policy profile workflow definition.

[paregorios]

@alecpm This seems to be working as desired on production. Is there anything else that needs doing at this stage, or are we ready to close the ticket?

[serviliusahala]

Hello.

Does this mean all users have lost the 'retract' function? should we use 'send back' in its place?

Jeffrey A. Becker, Ph.D. RPA (is/eum) | Mediterranean archaeologist | RPA #16473 | @. Editor for Smarthistory http://smarthistory.org/ and Pleiades Project https://pleiades.stoa.org/home | Lecturer, Binghamton University - SUNY https://www.binghamton.edu/cnes| 617-877-4484 | Mastodon @.> | Research Profile at HCommons https://hcommons.org/members/serviliusahala/ | ORCID iD http://orcid.org/0000-0001-8759-3774

On Mon, Apr 3, 2023 at 4:00 PM Tom Elliott @.***> wrote:

@alecpm https://github.com/alecpm This seems to be working as desired on production. Is there anything else that needs doing at this stage, or are we ready to close the ticket?

— Reply to this email directly, view it on GitHub https://github.com/isawnyu/pleiades-gazetteer/issues/494#issuecomment-1494901899, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA2RA7OQOS56WNWQDVN47S3W7MT4VANCNFSM6AAAAAAWOVM4XU . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[alecpm]

"Retract" is still available from the "Pending review" state, but not from the "Published" state. "Retract" and "Send Back" do the exact same thing, the only difference is who is allowed to perform the operation (the content creator/owner can "Retract", but only admins/reviewers can "Send Back").