Closed ACharbonneau closed 3 years ago
She finds the same behavior when she has just LINCS Reviewers permissions. Can add screenshots if desired.
I think ideally we want submitters and reviewers to not have access to the Edit Submitted Datapackage page at all, or if they can see it, for it to be entirely greyed out rather than letting the try and fail to change the status.
This is a known technical limitation of deriva for the current policy regime. We have work planned to improve this but I do not think it will be done soon enough to include in this release. In the interim, I can try to adjust the policy to reduce the number of scenarios where this occurs. It will be unavoidable for a user who actually has "approver" privileges for one DCC and is also allowed to view other DCC submissions w/o approver privilege.
The interim policy workaround has been applied to dev, briefly verified by manuall testing, and applied to staging as well.
Had a tester in LINCS submitters:
and she was able to get to the Edit submitted datapackage page and change the status:
the system did stop her from saving the new status, but it did so by suggesting she log in (she was already logged in) and then throwing a 403 error
I think ideally we want submitters to not have access to the Edit Submitted Datapackage page at all, or if they can see it, for it to be entirely greyed out rather than letting the try and fail to change the status.