hdx-ckan icon indicating copy to clipboard operation
hdx-ckan copied to clipboard

Published 20 hours ago verified publisher icon OCHA-DAP

New Contribute: Non sysadmin user can assign _any_ user as maintainer

Open cjhendrix opened this issue 9 years ago • 21 comments

User's should only be able to assign editors/admins of the org owning the dataset.

In the example below, user Linky is not a member/editor/admin of OCHA-BGSS.

image

cjhendrix avatar Feb 17 '16 15:02 cjhendrix

@cjhendrix is this something that we need to discuss with @luiscape @JavierTeran @takavarasha or @yumiendo ?

danmihaila avatar Feb 23 '16 12:02 danmihaila

I see no problem as long as non sysadmin user has admin editor rights to the org that owns dataset.

On Tuesday, February 23, 2016, danmihaila [email protected] wrote:

@cjhendrix https://github.com/cjhendrix is this something that we need to discuss with @luiscape https://github.com/luiscape @JavierTeran https://github.com/JavierTeran @takavarasha https://github.com/takavarasha or @yumiendo https://github.com/yumiendo ?

— Reply to this email directly or view it on GitHub https://github.com/OCHA-DAP/hdx-ckan/issues/4088#issuecomment-187687423.

takavarasha avatar Feb 23 '16 13:02 takavarasha

I don't think it's ok for a user with edit right to set the maintainer to be any user on HDX. I doubt anyone would use this maliciously, but it is potentially confusing.

cjhendrix avatar Feb 23 '16 13:02 cjhendrix

this is only about the metadata, not about users that can edit the dataset.

danmihaila avatar Feb 23 '16 13:02 danmihaila

Yes. Once we add user2user communication, it's about who would receive the notification (or email or whatever).

cjhendrix avatar Feb 23 '16 13:02 cjhendrix

I get it now. The issue is the ANY hdx user part. I agree it should not be any hdx user. The list of maintainers should be limited to only those users who are admins or editors of the org that the dataset belongs to.

Sent from my iPhone

On Feb 23, 2016, at 8:28 AM, cjhendrix [email protected] wrote:

I don't think it's ok for a user with edit right to set the maintainer to be any user on HDX. I doubt anyone would use this maliciously, but it is potentially confusing.

— Reply to this email directly or view it on GitHub.

takavarasha avatar Feb 23 '16 13:02 takavarasha

I would say that the list of eligible maintainers of a particular dataset should limited to the list of users who are members of the organization that owns the dataset. Earlier I had said admin or editor but I think any member of the organisation can be the maintainer.

Sent from my iPhone

On Feb 23, 2016, at 8:32 AM, danmihaila [email protected] wrote:

this is only about the metadata, not about users that can edit the dataset.

— Reply to this email directly or view it on GitHub.

takavarasha avatar Feb 23 '16 13:02 takavarasha

sounds good to me

cjhendrix avatar Feb 23 '16 14:02 cjhendrix

@cjhendrix @takavarasha A normal member ( non-admin, non-editor) can only view but not edit the datasets of the organization. So is he still suitable as a maintainer of a dataset ?

alexandru-m-g avatar Mar 03 '16 19:03 alexandru-m-g

Good question.

No, I'd say members are not suitable as maintainers.

cjhendrix avatar Mar 04 '16 08:03 cjhendrix

After discussing with @danmihaila , we decided to postpone this a bit as it would add more complexity to the javascript side since the organization of dataset is changeable:

  • [ ] we need javascript logic to make different requests to autocomlete API depending on the selected org.
  • [ ] If the org changes we need to reset the maintainer
  • [ ] There's a need for a new API endpoint that returns members of an org
  • [ ] server side validation to not allow a wrong maintainer via API

alexandru-m-g avatar Mar 04 '16 15:03 alexandru-m-g

ping @takavarasha @cjhendrix @yumiendo for comments. I think this is not going to be an easy task and lets discuss and decide what is the best solution we could implement here.

danmihaila avatar Mar 07 '16 14:03 danmihaila

Based on reading the thread - I think "dropdown with any member of the org" makes sense. (though having someone who's just a member as a maintainer seem not very practical...but in those cases admins can provide editor/admin status)

@alexandru-m-g can you explain "If the org changes we need to reset the maintainer" ? you mean once the user is on "add data" page and change the organisation dropdown, we need to reload new set of members?

yumiendo avatar Mar 07 '16 21:03 yumiendo

I agree with Yumi, a dropdown with all members would work. I also have concrete examples of ordinary members who are the maintainers of datasets. While not necessarily editors nor admins, these user delegate editorial tasks to other users in their organization. In addition, remember that maintainers will also receive questions about datasets when we eventually have user-to-user comms. I am not convinced that being an editor or admin should preclude a user from answering such questions about a dataset. For these reasons I am of the view that any member of an organization should be allowed to be the dataset maintainer.

Sent from my iPhone

On Mar 7, 2016, at 11:50 PM, yumiendo [email protected] wrote:

Based on reading the thread - I think "dropdown with any member of the org" makes sense. (though having someone who's just a member as a maintainer seem not very practical...but in those cases admins can provide editor/admin status)

@alexandru-m-g can you explain "If the org changes we need to reset the maintainer" ? you mean once the user is on "add data" page and change the organisation dropdown, we need to reload new set of members?

— Reply to this email directly or view it on GitHub.

takavarasha avatar Mar 07 '16 22:03 takavarasha

the scenario is like this: we are editing a dataset X which belongs to organization O1. Organization O1 has 2 members: M1 and M2. In edit form if we change from O1 to O2 the list of available members should also dynamically change because M1 and M2 users might not be part of O2. Question: the maintainer is not usually the same user who is editing the dataset?

danmihaila avatar Mar 08 '16 10:03 danmihaila

@yumiendo as you said "we need to reload new set of members." Also, if the organization changes, but before that the dataset already had a maintainer (from the previous org) we should empty the maintainer field ( and basically not allow the dataset to get to a state where the maintainer is not from the org that is selected in the dataset)

alexandru-m-g avatar Mar 08 '16 17:03 alexandru-m-g

@alexandru-m-g that makes sense. hope this is not difficult to implement!

@danmihaila To your question - I think maintainer 'can be' an editor/owner of the dataset. (there may be other cases...) @takavarasha @cjhendrix ?

yumiendo avatar Mar 08 '16 17:03 yumiendo

assigned to @cjhendrix for comments. @takavarasha any thoughts?

danmihaila avatar May 04 '16 10:05 danmihaila

Just re-read the whole thread. I think we are agreed that:

  1. the maintainer dropdown should be populated with only members, editors, and admins of the org owning the dataset
  2. if the org is changed, the maintainer value should be cleared (with whatever validation implications this has)

cjhendrix avatar May 04 '16 10:05 cjhendrix

@cjhendrix for step no 2:

  • if the org is changed the maintainer value is cleared - ok.
  • if user will want to select a maintainer - what users will be displayed in the dropdown? the members of the new organization??

danmihaila avatar Jun 06 '16 09:06 danmihaila

Correct. The only valid maintainers are members (at any level) of the org which owns the dataset.

cjhendrix avatar Jun 06 '16 14:06 cjhendrix