search

lukefitzwolfgang / icatproject

Automatically exported from code.google.com/p/icatproject
0 stars 0 forks source link

Permissions inheritance - differing behaviour #121

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Create an investigation, and a rule allowing a user to Read it

2. Create a dataset under that investigation

3. Search for the Investigation, including the dataset 
Investigation INCLUDE Dataset [title = 'What I said earlier']
You will be able to access the dataset

4. Search for the dataset directly
Dataset [name= 'the dataset name']
Receive an exception: IcatException_Exception: Read access to this Dataset is 
not allowed

What is the expected output? What do you see instead?
The same behaviour, no matter how I access the dataset.

In order to allow public access to the Raw data, and the PI to control access 
to published data, it is desirable that the investigation could be open, but a 
dataset could still be restricted.
This is more like the behaviour when I try to access the dataset directly.

Original issue reported on code.google.com by tom.grif...@stfc.ac.uk on 15 May 2013 at 10:30

GoogleCodeExporter commented 9 years ago 
This is by design to make it fast. However I have to change a lot to support 
the extended query and authz rule syntax so may be able to do this provided 
that it is not too time consuming. I do have a cunning plan...

Original comment by dr.s.m.f...@gmail.com on 15 May 2013 at 8:49

GoogleCodeExporter commented 9 years ago 
The impact of the issue goes even deeper then what Tom describes:

On my test ICAT I created a user who has read permission on Facility,
no other permissions at all.  He can access all Datafiles on the ICAT
at once, regardless of their respective access rules, just by
searching for "Facility INCLUDE Investigation, Dataset, Datafile".

Original comment by rolf.kr...@helmholtz-berlin.de on 18 Jul 2013 at 11:35

GoogleCodeExporter commented 9 years ago 
It is behaving exactly as specified - however I have accepted that the 
behaviour is not acceptable. It will be revised as part of the work on the more 
elaborate query language.

Original comment by dr.s.m.f...@gmail.com on 18 Jul 2013 at 12:37

GoogleCodeExporter commented 9 years ago 
Now checked in

Original comment by dr.s.m.f...@gmail.com on 15 Aug 2013 at 5:53

GoogleCodeExporter commented 9 years ago

Original comment by dr.s.m.f...@gmail.com on 22 Aug 2013 at 1:45

GoogleCodeExporter commented 9 years ago

Original comment by dr.s.m.f...@gmail.com on 25 Oct 2013 at 10:06