Editor permissions not working properly

[seanluyk]

Reported by recently appointed editors of the SpokenWeb UAlberta collection:

• Manage Content does not appear but Manage Selected items does when logged in
• Expected behaviour (confirmed via email with Avalon project lead): Editors should be able to access the manage content page

Expected behaviour: Avalon Roles Explained

[seanluyk]

Some additional information for troubleshooting:

• Those with the editor role before the upgrade to 6.5 experience expected behaviour, but those who were given this role after do not

While this bug is being addressed I am upgrading everyone to manager since we have work to do in the collection

[seanluyk]

Update:

• The same users have been granted Manager permissions, and the roles appear in JSON output, but they are experiencing a different issue now:

"I now have the "Manage Content" tab, but when I enter it says "You don't have any collections yet" and doesn't provide a way to select one (only to "create" one). Searching "spokenweb" doesn't produce a result, and "spokenweb" doesn't appear under the collections delimiter."

[jefferya]

@seanluyk A quick, off the cuff suggestion to try. Have user logout and then login again.

[seanluyk]

@jefferya thanks I'll check. If it's just that I'll be very happy!

[seanluyk]

@jefferya they tried this and still are not able to access it. I even gave them special access permission to the collection and they don't see this collection listed when they limit by collection. I'm just double checking that they paged through the list of collections

[seanluyk]

@jefferya - update: even after moving these users back to the role they had before (depositor) they don't seem to have access to the items/appropriate permissions. Logging in and out doesn't change anything

[jefferya]

Troubleshooting attempt 1: UAT

Summary: unable to reproduce on UAT so assuming the problem is with a piece that is different between UAT and production (mainly areas surrounding the CCID/shibboleth auth, contents of the database, or another content store (e.g., fedora)

Gist of troubleshooting:

• add new user (no group),
• (incognito browser as new user) check if spoken web collection viewable (should not be as restricted to collection staff only),
• add to editor group,
• (incognito browser as new user logout and login) check is spoken web collection viewable

Details:

New user, no group association, as expected, spoken web collection is not viewable and no "manage content" in the function bar next to "Browse"

New user, add to group of editors for Spoken Web project

Logged in as the new user after being added to the Spoken Web project editors group I can see the "Manage Content" tab in the function bar and "Spoken Web" in the list of collections.

---

Also also the "Manage Content" page

---

[jefferya]

Continuing troubleshooting (note: problem seems to have self resolved)

Check if the identity provider is returning the proper attributes (check via private/incognito browser mode)

1. initiates a CCID auth login
   • https://era-av.library.ualberta.ca/Shibboleth.sso/Login
2. displays some debugging info - see #409 for info -- UAL did add some error checking of the idp response, maybe not enough?
   • https://era-av.library.ualberta.ca/Shibboleth.sso/Session
3. check ERA A+V afterwards
   • https://era-av.library.ualberta.ca

Possibly related but unproven to be the case, IST was having problems with their CCID Single Sign On (reported a few hours after this issue was created). Was the IDP providing spurious results to ERA A+V as ERA A+V depends on a the IDP providing a proper e-mail address as part of the Single Sign On process?

Avalon roles.

There are two sets of roles:

a) those attached to a collection (Admin::Collection in Fedora). E.g. collection manager, editor, and depositor -- Avalon Roles Explained](https://www.avalonmediasystem.org/blog-post/understanding-avalon-roles-and-permissions)

b) attached to the application as a whole (and stored in the RDMS). The Admin::Collection models the properties that may have been part of the problem thought in the above "...roles appear in JSON output..." indicates the model was likely updated successfully. E.g., repository administrator, manager, group_manager

Maybe something got stuck in a cache and it’s expired now? https://github.com/ualbertalib/avalon/blob/master/app/models/role_map.rb#L29. The RoleMap model addresses the latter type of roles, the repository as a whole roles (e.g., map 'xyz@xyz.com' to repository administrator.

I didn't go deeply into how a & b connection, for example, both a repository administrator and all collection specific managers, editors, and depositors have access to the contents of a collection marked as "collection staff only". I didn't see where the union of permissions from a or b are interpreted and compared with the e-mail address used as an ID from shibboleth IDP provider.

Open question, how to better test for this problem?

Rollbar and resque jobs didn't indicate any related failures.

Admin::Collection.find('xyz').managers Admin::Collection.find('xyz').editors Admin::Collection.find('xyz').media_object_ids

[jefferya]

@seanluyk Does this continue to be problematic or can we close this issue?

[seanluyk]

Hasn't happened again since, closing this issue