argo
argo copied to clipboard
sul-dlss
Roles - Implement the read-only "viewer" roles
There are two roles that allow viewing of objects but no data modification actions -- no datastream updates, no blue buttons that take action or alter data. This includes actions like reindex and republish. The roles are
sdr-viewer -- repository wide providing read-only access to all objects. Like sdr-admin, it us a global role that bypasses apo checks dor-apo-viewer -- same read-only permissions, but limited to only those APO-governed objects you have this role in, assuming you don't have a higher role in that APO (e.g., if you are part of a workgroup with a higher role).
Former discussion ... according to lynn and rosy, this might not be working as expected.
"Here is the apo that dlss:developers role has view access to: https://argo-test.stanford.edu/catalog/druid:bc682xk5613 and here are the objects related to that APO: https://argo-test.stanford.edu/view?f%5Bapo_title_facet%5D%5B%5D=abstract+test+apo
I should say that Laney could view the list of objects associated with the APO, but couldn't click through and view the detail view of the content."
comment from lynn on ARGO-301 (https://jirasul.stanford.edu/jira/browse/ARGO-301?focusedCommentId=127199&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-127199): "Apparently this role is actually inoperative, and the named users get broken privileges -- you can find objects and see the search result, but cannot access the detail views. Can we fix this? do you need a separate ticket?"
note to self for something to investigate: the role that's added to the object is "dor-apo-viewer". however, the dor-services code that does privilege checks looks for "dor-viewer" or "sdr-viewer". maybe that mismatch is a problem? relevant code (or, code on which this guess was based): https://github.com/sul-dlss/argo/blob/develop/app/controllers/apo_controller.rb#L78 https://github.com/sul-dlss/dor-services/blob/v4.12.3/lib/dor/models/governable.rb#L140
note the super-user-y construction of the role name checked in dor-services: "dor-viewer"/"sdr-viewer" follows the pattern of "dor-administrator"/"sdr-administrator", not "dor-apo-manager". similar to the hardcoded group names for DOR-wide managers and admins, a user could be a DOR-wide viewer if they were in the workgroup "sdr:viewer-role" or "dlss:dor-viewer". see: https://github.com/sul-dlss/argo/blob/develop/config/initializers/permissions.rb
also notable: according to grep, the string "dor-apo-viewer" only appears in the dor-services unit tests, and not at all in the main codebase. it appears in argo in APO creation/editing, the list of known roles in the User class, and a couple unit tests.
