This is a web dashboard to be used with MolSSI's [Simulation Environment for Atomistic and Molecular Modeling](https://molssi-seamm.github.io) (SEAMM). This dashboard will allow users to view results of their calculations (jobs), keep track of their simulation procedures (flowcharts), and group their jobs into projects.
BSD 3-Clause "New" or "Revised" License
3
stars
4
forks
source link
change permissions checks to be on projects rather than only on jobs #85
This addresses the hierarchical permissions problem we discussed this morning.
Problem statement:
Jobs and flowcharts can belong to multiple projects. In the previous/current model, this was a problem because permissions for jobs was stored directly on the job, and a job could hold only one set of permissions. This could potentially lead to permissions clashes between jobs.
Solution:
In this solution, we check the job permissions first (owner, group, world). If permission to access the job or flowchart is not found under these, permissions on project(s) containing the job or flowchart are checked to determine if the user has access.
This is done in the API endpoints for accessing jobs or flowcharts rather than inside of the code in charge of permissions. I had avoided this in the past for fear of worse performance. However, it might be unlikely that users will have enough jobs to notice poor performance.
This closes #83
Also note that in the future if we did want to allow permissions by job or flowchart, we could still add those. It would require addition of more tables to the DB.
This addresses the hierarchical permissions problem we discussed this morning.
Problem statement: Jobs and flowcharts can belong to multiple projects. In the previous/current model, this was a problem because permissions for jobs was stored directly on the job, and a job could hold only one set of permissions. This could potentially lead to permissions clashes between jobs.
Solution: In this solution, we check the job permissions first (owner, group, world). If permission to access the job or flowchart is not found under these, permissions on project(s) containing the job or flowchart are checked to determine if the user has access.
This is done in the API endpoints for accessing jobs or flowcharts rather than inside of the code in charge of permissions. I had avoided this in the past for fear of worse performance. However, it might be unlikely that users will have enough jobs to notice poor performance.
This closes #83
Also note that in the future if we did want to allow permissions by job or flowchart, we could still add those. It would require addition of more tables to the DB.