self-reg user has no access to shared responses

[stevenolen]

For self-reg users (and now keycloak users, as they are by default added to the public class) have access as "participant" to the campaigns in public, but cannot see existing shared data (they are not also "analysts").

@hongsudt I presume this was intentional? Any suggestions on this? Should this be an admin configurable parameter? Or perhaps they should be added as analysts as well to support the public data collection aspect?

[hongsudt]

yeah.. I think by default, they should be added as an analyst. If we don't want analyst to see anyone's shared data, we can already control at the campaign level..

[stevenolen]

neat. we should inform users a bit better about this when they share data to a public class. I'll open a relevant issue

(and also close this when i've changed the server behavior.)

[stevenolen]

will also need to add the current public class to config/read output.

[stevenolen]

one more thing: should we consider this a bug and make a migration to add the users in a campaign attached to the public class as analysts?

My assumption would be no, because this was "working as intended" for many releases, we'd just prefer that the behavior be changed going forward?

[stevenolen]

While I was looking through the current user-campaign relationships I noticed a weird anomaly: self-reg users in the public class already had participant+analyst roles on many of the campaigns attached to the public class.

Turns out, as this block shows, any campaigns created with the class_urn_list including the public class would have public class users added as analysts.

Scratch my comment here: https://github.com/ohmage/server/issues/887#issuecomment-185825796. Per the findings in this comment (and a conversation with @hongsudt) having self-reg/external users who are added to the public class only as participants is considered a bug.

A final commit here will include a migration to "fix" all existing occurrences of this.