define and implement permissions for editing content items according to rights concept (multi-site editor)

[MyPyDavid]

Rationale / Begründung

With respect to the implementation of an owner property for content items (#490) and a 'site-editor' role (#491), the rights and permissions should be checked and defined according to a concept of access rights for editors (we have a concept, it is, however, still open for discussion).

Affected

Users, Managers, Admins

Minimal functionality

• define editor rights and permissions according to concept
• define a 'multi-site editor' (or e.g. 'super editor', 'instance editor', 'main editor', etc.)

References / Verweise

• (all) content items should have ownership property (multi-site editor)  #490
• add a new role site-editor (multi-site editor) #491

Concept for permissions for Editors in a multi-site setting

The Role model gets an editor field, which is similar to the manager field, an m2m with sites.
A multisite Editor has all sites of the Instance, or it should be a checkbox.
A site Editor has usually only one site but can receive more.

The multisite Editor should have CRUD permissions for all element objects (ModelPermission level).
The site Editor needs more fine-graind Object-level permissions.
This requires that the element objects also receive an additional "owner-ship" field (can be done via the sites ?)

Catalogs

• (update) Editor-rights per site, only an Editor of the site can edit Catalogs of their own site.
  • Editorrechte für Mandanten vergeben, d.h. ein Editor kann nur Inhalte seines Mandanten editieren
• (read) An Editor sees only Catalogs from his site, or Catalogs shared from other sites as read-only.
  • Editor sieht nur Kataloge seines Mandanten (ggf. mit Möglichkeit, die anderen Kataloge "lesend" anzuzeigen)
• (multisite editor role property) An Editor with rights for all sites inside the instance.
  • Supereditor, der alle Mandanten bearbeiten kann, kann alle Kataloge sehen

Domain

• (read) Readable for all site Editors
  • Lesbar für Editoren
• (create and update) ModelPermission Only for the multi-site Editor
  • ObjectPermissions per site by each site Editor

Optionsets

• (read) Readable for all site Editors
• site Editors can not update optionsets which are used in Catalogs (which are used) by other sites
  • Editoren solllten keine Sets bearbeiten könnnen, die Kataloge andere Mandanten betreffen
• (create and update) multisite Editors has ModelPermissions
  • site Editors have Objectpermission

Conditions

same as Optionsets

Tasks

same as Optionsets

Views

• all are CRUD-able for multisite Editor
  • site Editor can CRUD for their own site (can not delete shared views)

Import

• multisite Editors can update Catalogs from each site at import.
• site Editors can import new Catalogs for their own site.
  • can update own Catalogs at import

[MyPyDavid]

The rules for all the elements and user roles are in:

• https://github.com/rdmorganiser/rdmo/blob/master/rdmo/management/rules.py

closed by 2.0.0