Table of Contents
Visibility
Visibility is stored in the solr doc as follows:
- if visibility='open' (aka public), the solr doc
read_access_group_ssim
includes 'public' - if visibility='authenticated' (aka institutional), the solr doc
read_access_group_ssim
includes 'registered' - if visibility='restricted' (aka private), nothing is added to the solr doc
Permission Templates
For Admin Sets:
Original implementation
CREATE TIME: admin_sets add access to the solr doc at create time via AdminSetCreateService
- set in solr doc from AdminSetCreateService#create
- read group: 'public' (for visibility)
- edit group: admin
- creator: creator user (not given access via edit user)
- set in permissions table from AdminSetCreateService#create_permission_template and #access_grants_attributes
- MANAGE group: admin
- MANAGE user: creator user
- set in permissions table from AdminSetCreateService#create_default_access_for
- DEPOSIT group: registered
UPDATE TIME: admin_sets adjust the above at udpate time via PermissionTemplateForm and via AdminSet (model)
- set in solr doc from AdminSet (model) #update_access_control! when called from PermissionTemplateForm#update_management which is only called when a manager is added or deleted
- edit user: all users with MANAGE permissions (includes creator user)
- edit group: all groups with MANAGE permissions
- NOTE: creator gets edit access via this method because set with MANAGE access during create AND this method is ONLY called when MANAGE participants are added or deleted
- NOTE: no read users/groups are added which doesn't matter only because the read group was set to Public above which means everyone can read
- set in permissions table from PermissionTemplateForm#update -> #update_participants_options -> #update_permission_template -> AdminSet (model) #update
- adds/removes row from access table with agent_id, agent_type (e.g. 'user' | 'group'), access (e.g. 'manage', 'deposit', 'view') values set in the form
Slight modification during sprint
CREATE TIME: admin_sets add access to the solr doc at create time via AdminSetCreateService
- set in solr doc from AdminSetCreateService#create
- read group: 'public' (for visibility)
- DO NOT SET edit group: admin
- creator: creator user (not given access via edit user)
- set in permissions table from AdminSetCreateService#create_permission_template and #access_grants_attributes
- MANAGE group: admin
- MANAGE user: creator user
NEW -- call AdminSet (model) #update_access_controls! to set solr doc edit permissions
- set in permissions table from AdminSetCreateService#create_default_access_for
- DEPOSIT group: registered
UPDATE TIME: admin_sets adjust the above at udpate time via PermissionTemplateForm and via AdminSet (model)
- set in solr doc from AdminSet (model) #update_access_control! when called from PermissionTemplateForm#update_management which is only called when a manager is added or deleted
- edit user: all users with MANAGE permissions (includes creator user)
- edit group: all groups with MANAGE permissions
NOTE: creator gets edit access via this method because set with MANAGE access during create AND this method is ONLY called when MANAGE participants are added or deleted- NOTE: no read users/groups are added which doesn't matter only because the read group was set to Public above which means everyone can read
- set in permissions table from PermissionTemplateForm#update -> #update_participants_options -> #update_permission_template -> AdminSet (model) #update
- adds/removes row from access table with agent_id, agent_type (e.g. 'user' | 'group'), access (e.g. 'manage', 'deposit', 'view') values set in the form
All this is consistent with the Collections permissions approach EXCEPT
- collections set read_groups and read_users based on VIEW access
- admin_sets allow everyone to view all admin sets. This is incompatible with collection type approach and will need to be revisited before admin_sets can become just another collection type.
For Admin Sets:
permission_template_access | admin set solr doc | ability: can? create_in_adminset | work solr doc | comments | |
---|---|---|---|---|---|
:manage | edit_access | true | edit_access | admin is always a manager | |
:deposit | N/A | true | |||
:view | N/A | false | read_access |
For Collections:
permission_template_access | collection solr doc | ability: can? create_in_collection | work solr doc | comments | |
---|---|---|---|---|---|
:manage | edit_access | true | edit_access | admin is always a manager | |
:deposit | read_access | true | access to works are granted only for works the user creates | ||
:view | read_access | false | read_access |
Visibility, which also impacts the collection solr doc's read_access field, is set in collection edit form → Discovery tab.