prevents user from adding ordered_member_ids which they do not own

samvera-deprecated / curation_concerns

A Hydra-based Rails Engine that extends an application, adding the ability to Create, Read, Update and Destroy (CRUD) objects (based on Hydra::Works) and providing a generator for defining object types with custom workflows, views, access controls, etc.

Other

15 stars 27 forks source link

prevents user from adding ordered_member_ids which they do not own #1156

Closed revgum closed 7 years ago

revgum commented 7 years ago

Adding a child work which is not owned by the current user fix for Sufia Issue 3042: projecthydra/sufia#3042

mjgiarlo commented 7 years ago

@revgum There's not a very strong "ownership" model at the moment. Should the users listed in the object's edit_users list, and users in the edit_groups list, also be able to add works to works? I believe you can do this via an Ability check, which will use hydra-access-controls for the above checks. @jcoyne does that sound right?

revgum commented 7 years ago

@mjgiarlo This is a great question, and somewhat touches on a discussion that @vantuyls and I were having this morning. ApplyOrderActor and AddToWorkActor both cover similar functionality with regard to associating a work to another work (in the parent, or child context) and both would need this type of ownership consideration you're mentioning.

If we can come to a consensus, should the same edit_users and edit_groups check happen for both actors?

mjgiarlo commented 7 years ago

What do you think, @jcoyne?