User right access on metadata editor

[rogers492]

From @benjaminsaclier on May 12, 2015 10:7

At present time an openwis user which have the permission to edit metadata has the ability to:
1/ add a new metadata in any set of catalogue
2/ move a metadata (which is owner) to any other set
3/ add a new metadata using any uniform resource names (urn).
This behavior is not compliant with WMO and is a risk on metadata management on Openwis.

The proposition of evolution is the following :
1/ Have the ability to associate an openwis user/editor to a specific set, in that case the user can only add/modified/delete metadata from this set.
2/ Have the possibility to specific urn regulars expressions for a specific user, in that case the user can only add/modified/delete metatada where urn matching the regular expression, example the following regulars expressions only authorize a user to work on Meteo-France metadata:
"x-wmo:bulletin:int.wmo.wis::......LFPW$"
":x-wmo:bulletin:int.wmo.wis::[TAZW].*_C_LFPW"

Benjamin

Copied from original issue: OpenWIS/openwis#73

[rogers492]

From @woollattd on March 2, 2016 8:10

This is a requirement that was not met
a) REQ-M.4.4.17: User MUST not be able to access particular metadata, data nor services unless they have the appropriate roles
b) REQ-M4.1.1.11: The system MUST maintain the integrity of the data

This was picked up in
OWT-451 - allow metadata editors to belong to a group
OWT-504 - any editor can modify/replace someone elses metadata
OWT-505 - Any Editor can see all Categories - need to only be able to see their own

Also Security tests have picked up the ability to add scripts to the 'Title' of a metadata leaving users exposed as well as other GISCs should they harvest it.

[rogers492]

From @lmika-bom on March 2, 2017 21:9

Should be looks at for v4.

[rogers492]

2017-TC workshop score = 1

[rogers492]

Development of OpenWISv4 is stopped.