cbrain icon indicating copy to clipboard operation
cbrain copied to clipboard

Published 20 hours ago verified publisher icon aces

restricted data providers in NeuroHub

Open MontrealSergiy opened this issue 4 years ago • 8 comments

Even if a data provider is assigned to a particular project, admin might be able to use it within another project to store some files. The files he uploaded would be visible to project member in NeuroHub but not CBRAIN.

While ideally NeuroHub and CBRAIN should follow similiar visibility rules, yet this discrepancy only happens when admin used data provider differently from the purpose, so the issue in not critical

Steps to reproduce

  1. log as admin.
  2. As admin create a data provider assigned to some highly restrictive project ( e.g. admin ).
  3. Create a new shared project.
  4. Set it as non assignable (read-only) to regular members
  5. Upload a few files to the new shared project yet assign them to that restricted data provider rather than default
  6. Add a few members to the project
  7. Log in as a project member Observed: the members see the new files in NeuroHub but not in CBRIAN Expected: members see files neither in Neurohub nor CBRAIN (or, maybe see in both)

MontrealSergiy avatar Dec 21 '20 13:12 MontrealSergiy

I'm not sure I understand. What it is the issue here? Yes, admins can do things normal users cannot do, but that's expected. What is the problem to fix?

prioux avatar Dec 21 '20 16:12 prioux

Also, how can files be visible in NeuroHub and not CBRAIN ? Can you give an exact description of the sequence of events that lead to this?

prioux avatar Dec 21 '20 16:12 prioux

The sequence of steps is added to the bug description.

MontrealSergiy avatar Dec 21 '20 20:12 MontrealSergiy

THere doesn't seem to be a link between the DP and the project. Are we supposed to assign the DP created in step 2 to the project created in step 3?

prioux avatar Dec 21 '20 20:12 prioux

Also, when uploading the files in step 5, which project are they assigned to?

prioux avatar Dec 21 '20 20:12 prioux

THere doesn't seem to be a link between the DP and the project. Are we supposed to assign the DP created in step 2 to the project created in step 3?

The Data Provider is assigned to files that are uploaded to the new project. There is no direct relation between the new project and data provider.

MontrealSergiy avatar Dec 21 '20 21:12 MontrealSergiy

So I think I understand. When fetching a list of files associated with a project, in NeuroHub, we don't filter by content accessibility. It's something we do on the CBRAIN side, though. We do something like (pseudo code):

   list_of_accessible_data_provider_ids = DataProvider.something.pluck(:id)
   list_of_files = userfile_scope.where(stuff).where(:data_provider_id => list_of_accessible_data_provider_ids)

So I think we should do the same thing on the NeuroHub side. Can you try it out and make a PR if it's easy?

prioux avatar Dec 23 '20 17:12 prioux

Ok will do. Not sure is there any need to change NeuroHub docs or explanations.

MontrealSergiy avatar Dec 23 '20 18:12 MontrealSergiy