Closed seanluyk closed 3 years ago
Some additional information for troubleshooting:
While this bug is being addressed I am upgrading everyone to manager since we have work to do in the collection
Update:
"I now have the "Manage Content" tab, but when I enter it says "You don't have any collections yet" and doesn't provide a way to select one (only to "create" one). Searching "spokenweb" doesn't produce a result, and "spokenweb" doesn't appear under the collections delimiter."
@seanluyk A quick, off the cuff suggestion to try. Have user logout and then login again.
@jefferya thanks I'll check. If it's just that I'll be very happy!
@jefferya they tried this and still are not able to access it. I even gave them special access permission to the collection and they don't see this collection listed when they limit by collection. I'm just double checking that they paged through the list of collections
@jefferya - update: even after moving these users back to the role they had before (depositor) they don't seem to have access to the items/appropriate permissions. Logging in and out doesn't change anything
Troubleshooting attempt 1: UAT
Summary: unable to reproduce on UAT so assuming the problem is with a piece that is different between UAT and production (mainly areas surrounding the CCID/shibboleth auth, contents of the database, or another content store (e.g., fedora)
Gist of troubleshooting:
Details:
Continuing troubleshooting (note: problem seems to have self resolved)
Check if the identity provider is returning the proper attributes (check via private/incognito browser mode)
Possibly related but unproven to be the case, IST was having problems with their CCID Single Sign On (reported a few hours after this issue was created). Was the IDP providing spurious results to ERA A+V as ERA A+V depends on a the IDP providing a proper e-mail address as part of the Single Sign On process?
Avalon roles.
There are two sets of roles:
a) those attached to a collection (Admin::Collection in Fedora). E.g. collection manager, editor, and depositor -- Avalon Roles Explained](https://www.avalonmediasystem.org/blog-post/understanding-avalon-roles-and-permissions)
b) attached to the application as a whole (and stored in the RDMS). The Admin::Collection models the properties that may have been part of the problem thought in the above "...roles appear in JSON output..." indicates the model was likely updated successfully. E.g., repository administrator, manager, group_manager
Maybe something got stuck in a cache and it’s expired now? https://github.com/ualbertalib/avalon/blob/master/app/models/role_map.rb#L29. The RoleMap model addresses the latter type of roles, the repository as a whole roles (e.g., map 'xyz@xyz.com' to repository administrator.
I didn't go deeply into how a & b connection, for example, both a repository administrator and all collection specific managers, editors, and depositors have access to the contents of a collection marked as "collection staff only". I didn't see where the union of permissions from a or b are interpreted and compared with the e-mail address used as an ID from shibboleth IDP provider.
Open question, how to better test for this problem?
Rollbar and resque jobs didn't indicate any related failures.
Admin::Collection.find('xyz').managers Admin::Collection.find('xyz').editors Admin::Collection.find('xyz').media_object_ids
@seanluyk Does this continue to be problematic or can we close this issue?
Hasn't happened again since, closing this issue
Reported by recently appointed editors of the SpokenWeb UAlberta collection:
Expected behaviour: Avalon Roles Explained