Cannot uncheck Allow everyone to read checkbox

[rufuspollock]

If you set up bookmarklet to have a default of allowing everyone to read the checkbox cannot be unchecked in the UI.

[aron]

This will happen if the value for the "read" action when setting up the permissions plugin is an empty array, ie. publicly readable.

In this case the checkbox cannot be used because there are no permissions to apply to it if the box were to be unchecked. So we freeze it. The checkbox can be hidden in this case by setting the (currently undocumented) showViewPermissionsCheckbox option to false.

annotator.addPlugin('Permissions', {
  user: 'Alice',
  permissions: {
    'read':   [], // Annotations are always public.
    'update': ['Alice'],
    'delete': ['Alice'],
    'admin':  ['Alice']
  },
  showViewPermissionsCheckbox: false // Hide view checkbox.
});

I will document this and showEditPermissionsCheckbox right now

[aron]

Documented under the options heading. http://github.com/okfn/annotator/wiki/Permissions-Plugin

[rufuspollock]

Not sure this is really the right way it should work. We want to allow people to restrict access if they want. Why couldn't unchecking simply result in current user id being put in the read list?

Generally this suggests we should rework the authorization system to explicitly denote 'everyone'.

[aron]

Take the current example:

{
'read':   [], // Annotations are always public.
'update': ['Alice'],
'delete': ['Alice'],
'admin':  ['Alice']
}

It should be possible to uncheck this checkbox if an admin (Alice) is viewing the annotation. Otherwise the checkbox should be permanently disabled (or not even displayed to the user?).

Once unchecked the current user's id should be inserted into the 'read' array. (Question: should all annotation admins be inserted into the 'read' array? Probably).

We have decided to postpone this ticket for now as there remains a larger discussion to be resolved regarding the implementation of permissions.

[nickstenning]

Okay, let's reopen this conversation. When I originally designed the permissions plugin, the meaning of [] and null or undefined was different. Specifically, {delete: null} or {} meant "anyone can delete", while {delete: []} meant "no-one can delete". Do we currently have a way of specifying the latter?

I agree with Aron that if the viewing user doesn't have 'admin' authorisation for the current annotation (which for AnnotateIt they do have by default for annotations they created) then we shouldn't display any Permissions UI.

[nickstenning]

So, note to self: this needs fixing, as users using AnnotateIt should be able to prevent their annotations showing up in public-readable searches, if they so desire.

[aron]

users using AnnotateIt should be able to prevent their annotations showing up in public-readable searches

Is this not possible now by adding their id into the read array?

Specifically, {delete: null} or {} meant "anyone can delete", while {delete: []} meant "no-one can delete". Do we currently have a way of specifying the latter

No, I don't think their is anyway that you can specify the latter without putting the creators (or someones) id into the array. Although that said, this might be possible by putting null into the array eg. {delete: [null]}.

[nickstenning]

Is this not possible now by adding their id into the read array?

Yes, it is, but the UI doesn't actually allow you to uncheck the box that would do that!

As for the second issue, I think it's probably less of a concern now. It doesn't make that much sense to allow people to prevent themselves from deleting an annotation.

[nickstenning]

Closed by 7cae58b

[aron]

Yes, it is, but the UI doesn't actually allow you to uncheck the box that would do that!

I believe it allowed you to uncheck it if you put the id in the @options.permissions when the plugin was loaded. That's why it was storing the id in the data attribute. Your update is simpler for now anyway.