Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent sharing works and filesets with unintended groups #6823

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

Prevent sharing works and filesets with unintended groups #6823

wants to merge 12 commits into from

Conversation

davidcam-src
Copy link
Collaborator

@davidcam-src davidcam-src commented Jun 4, 2024
edited

Fixes

Fixes #6822

Summary

Guidance for testing:

Criteria: Users should not be able to share works to groups outside of the visibility restrictions of the admin set it belongs to

  1. As a non admin user, create a new work in Nurax.
  2. Select an admin set with exclusive private visibility in the Relations tab.
  3. In the sharing settings tab, ensure that "public" or "registered" are not selectable options

Criteria: Users should not be able to share works to groups outside of the visibility restrictions of the admin set it belongs to

  1. As a non admin user, create a new work in Nurax.
  2. Select an admin set with exclusive private visibility in the Relations tab.
  3. Fill out the form as usual and add a file. Check the deposit agreement and click save.
  4. Go to the dropdown for the file on the work page and select Edit
  5. Click the permissions tab and verify that visibility restrictions for the admin set are being applied to the radio buttons (private should be the only option available)

Changes proposed in this pull request:

  • Additional argument for visibility component to pass in an admin set widget in the permissions control javascript
  • file_set_admin_set_option function added to retrieve the admin set for any given file
  • non-visible admin_set_options partial added to permission.html.erb to ensure the permissions control javascript executes, only renders for non-admins so that admins can still easily override sharing restrictions imposed by admin sets
  • replace current_user.groups in permission_form.html.erb with available_user_groups function call
  • remove "registered" and "public" groups from groups that can be selected for file sharing if the user is not an admin
    @samvera/hyrax-code-reviewers

@davidcam-src
generating html that is non visibile to the user containing admin set…
7808e83 
… options to restrict the visibility options provided to the user Closes #6822
@davidcam-src davidcam-src added the notes-bugfix Release Notes: Fixed a bug label Jun 4, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 4, 2024
edited

Test Results

    17 files  ±0      17 suites  ±0   2h 18m 10s ⏱️ +53s
 6 706 tests ±0   6 409 ✅ +1  297 💤 ±0  0 ❌  - 1 
13 180 runs  ±0  12 785 ✅ +1  395 💤 ±0  0 ❌  - 1 

Results for commit 3562ca7. ± Comparison against base commit 891cdb5.

This pull request removes 267 and adds 267 tests. Note that renamed tests count towards both. 
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to create #<Hyrax::PermissionTemplate:0x00007f0e3236f3c0>
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to create #<Hyrax::PermissionTemplate:0x00007ff316414108>
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to create #<Hyrax::PermissionTemplateAccess:0x00007f0e34462fa0>
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to create #<Hyrax::PermissionTemplateAccess:0x00007ff315ff2f98>
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to destroy AdminSet: 284f10ef-ed07-4d9e-ae52-9a7119403f71
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to destroy Hyrax::AdministrativeSet: 1b3c6abf-69c1-4a03-8b96-70443cb88c4b
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to edit AdminSet: dd250258-0bb2-4cb3-9328-a269781375ca
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to edit Hyrax::AdministrativeSet: 5d74adcd-f2bb-486c-b411-23623b978a93
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to update AdminSet: ca61a1e8-2de3-40a4-88b8-d9af4f8287eb
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to update Hyrax::AdministrativeSet: 948c3d32-711f-4838-8e4b-d9f1b67f5dff
…

spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to create #<Hyrax::PermissionTemplate:0x00007effc2597590>
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to create #<Hyrax::PermissionTemplate:0x00007ff8f86780d8>
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to create #<Hyrax::PermissionTemplateAccess:0x00007effba6c6400>
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to create #<Hyrax::PermissionTemplateAccess:0x00007ff8f6b7add0>
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to destroy AdminSet: 2d8a6151-f4b2-46ef-bdc9-a4a5b4206742
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to destroy Hyrax::AdministrativeSet: 9acf08f3-c5a9-4cb0-960a-29f9d09c315f
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to edit AdminSet: 36e9f983-20b5-4dc2-a47d-a13a9bd424ea
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to edit Hyrax::AdministrativeSet: bf29ad9f-c01a-4ce4-b897-836dd3492d45
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to update AdminSet: 9fca0c8a-d05b-493c-8975-123cb157e840
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to update Hyrax::AdministrativeSet: 86acf8d1-5257-4cba-9ddc-3629029f1ca2
…

♻️ This comment has been updated with latest results.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
notes-bugfix Release Notes: Fixed a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Depositors able to override admin set visibility restrictions
1 participant
@davidcam-src