User permission

[jillpe]

Summary

The following user ends up with permissions to add to all collections and should not have that.

Accepted Criteria

• [ ] The user above only has permission to add to the following collections

[bkiahstroud]

The user above only has permission to add to the following collections

@jillpe the language above implies there should be a list of approved collections the user can add to. Do we have that list anywhere?

[jillpe]

No, but I will get clarification (I'm pretty sure it's just the collection they created)

[bkiahstroud]

Notes

1. 004268589@cpp.edu is a member of the managers-pomona group

Screenshot


---

2. Two Hyrax::CollectionTypeParticpant records exist for 004268589@cpp.edu. The existence of these records are what grant this user :create and :manage access to all newly created User Collections

```ruby pp Hyrax::CollectionTypeParticipant.where(agent_id: "004268589@cpp.edu") [#, #] ```

---

3. Stats

• Number of Collections user has access to: 1,340

Hyrax::PermissionTemplateAccess.where(agent_id: "004268589@cpp.edu")

• Number of Collections user has created: 224

Collection.where(depositor: '004268589@cpp.edu')

• Number of Collections user has access to that they did not create: 1,116 (1,340 - 224)

---

Proposed Solution

• [x] Delete the 2 Hyrax::CollectionTypeParticipant records

Implementation

```ruby ctp = Hyrax::CollectionTypeParticipant.where(agent_id: '004268589@cpp.edu') ctp.count == 2 ? ctp.map(&:destroy) : puts 'deleting unexpected records' ```

• [x] Revoke 004268589@cpp.edu's access from all collections they have individual access to that they did not create¹

Implementation

```ruby resp = ActiveFedora::SolrService.get( 'has_model_ssim:Collection', fq: 'depositor_ssim:004268589@cpp.edu', fl: 'id', rows: 1_000 ) good_ids = resp.dig('response', 'docs').pluck('id') total_access_count = Hyrax::PermissionTemplateAccess.where(agent_id: "004268589@cpp.edu").count superfluous_accesses = Hyrax::PermissionTemplateAccess .joins(:permission_template) .where(agent_id: "004268589@cpp.edu") .where .not(permission_templates: { source_id: good_ids }) bad_permission_templates = superfluous_accesses.map(&:permission_template);nil if (total_access_count - good_ids.size) == superfluous_accesses.count superfluous_accesses.destroy_all else puts "error: counts don't match" end bad_permission_templates.each do |permission_template| begin collection = permission_template.collection permission_template.reset_access_controls_for(collection: collection) rescue Hyrax::ObjectNotFoundError => e puts "PermissionTemplate #{permission_template.id} is for an AdminSet. No need to call #reset_access_controls_for. Skipping..." next end end ```

¹ Note that they are in the managers-pomona group, so they should still retain access to all collections that group has been granted access to

[bkiahstroud]

On hold pending approval from the client to move forward with the Proposed Solution (see previous comment)

[dswalker]

This sounds good to me, Kiah. I approve.

[bkiahstroud]

The user in question should no longer have access to collections they did not create, nor should they be granted access to every newly created collection moving forward

[aprilrieger]

@dswalker will review and test and provide feedback.