New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Supervised Order with OBSERVER permissions can only view the item #2226
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@alisaismailati : Thanks for this bug fix! I've verified that it works. I can only see the "Edit" and "Delete" buttons when a supervision order gives EDITOR permissions...not with just OBSERVER.
However, I found a small bug in the existing code (I see an error in my browser's DevTools console). I also think there's a small performance improvement we could make. Once these fixes are applied, I can retest this.
const activeEPerson$ = this.authService.getAuthenticatedUserFromStore(); | ||
|
||
this.isAdmin$ = activeEPerson$.pipe( | ||
switchMap((user: EPerson) => this.authorizationService.isAuthorized(FeatureID.AdministratorOf, user.uuid))); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this isAuthorized()
call is incorrect, as I'm seeing an error in my browser's DevTools console. The backend returns 400 Bad Request
on this line.
I believe it should simply be:
this.isAdmin$ = this.authorizationService.isAuthorized(FeatureID.AdministratorOf);
(See for example item-page.component.ts
which has this same code).
src/app/shared/mydspace-actions/workspaceitem/workspaceitem-actions.component.ts
Show resolved
Hide resolved
@alisaismailati or @atarix83 : Could this be rebased on latest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 Thanks @alisaismailati and @atarix83 . This looks good now & works except there's an unused isAdmin
variable still in the code. I'll wait to merge this until that can be removed, see inline below.
References
Description
Supervised Order with OBSERVER permissions should only view an item and not be able to delete or edit it, so the buttons for delete and edit actions should not be displayed. In order not to show the buttons we check the authenticated user permissions for editing the item.
Instructions for Reviewers
To show only the view button for the Supervised Order with OBSERVER permissions on MyDSpace, we check if the authenticated user permissions allows hit to edit/delete the item. First, we identify if the user is an administrator, this way the user has all rights. We also need to identify based on FeatureID.CanEditItem if the user can edit the item, therefore he can delete the item (since if the user is able to access the edit page, the item can be discarded also from there).
List of changes in this PR:
Include guidance for how to test or review your PR.
Follow the steps from #2094 to be able to reproduce the behavior and
notice that Edit & Delete button are not appeared on MyDSpace page for the OBSERVER role.
Checklist
yarn lint
yarn check-circ-deps
)package.json
), I've made sure their licenses align with the DSpace BSD License based on the Licensing of Contributions documentation.