In order to better restrict who has access to certain images, this change adds a new patron type for staff that should have access to restricted images (reducing this from all staff to only staff with this role).
In addition this will require an update to the OpenAthens configuration that currently uses the Staff role from Auth0 to distinguish who should have access to certain journals. New configuration will need to include also the StaffWithRestricted type. See the #wc-open-athens Slack.
[x] Deploy this change, ask a test user to login - is their patron type updated in Auth0?
[ ] When the IIIF API changes have occurred, can only the new staff type get access to restricted images?
How can we measure success?
Only staff users who need access to restricted images should have access to those images.
Have we considered potential risks?
We are changing authentication for some users, but this should reduce permissions for staff rather than increase it. We should see if we can test this change on stage before releasing.
What does this change?
In order to better restrict who has access to certain images, this change adds a new patron type for staff that should have access to restricted images (reducing this from all staff to only staff with this role).
This change will require an update to the IIIF API mappings here: https://github.com/wellcomecollection/iiif-builder/blob/main/src/AuthTest/AuthTest/Controllers/HomeController.cs#L38, requested in Slack. The new mapping should allow only
StaffWithRestricted
access to restricted images.Related: https://github.com/wellcomecollection/iiif-builder/pull/270
In addition this will require an update to the OpenAthens configuration that currently uses the
Staff
role from Auth0 to distinguish who should have access to certain journals. New configuration will need to include also theStaffWithRestricted
type. See the #wc-open-athens Slack.For https://github.com/wellcomecollection/identity/issues/400
Part of: https://github.com/wellcomecollection/platform/issues/5747
How to test
How can we measure success?
Only staff users who need access to restricted images should have access to those images.
Have we considered potential risks?
We are changing authentication for some users, but this should reduce permissions for staff rather than increase it. We should see if we can test this change on stage before releasing.