Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

People with orgUnit constraint should only perform read operation on datasets not assigned to an orgUnit #3426

Closed
t83714 opened this issue Nov 8, 2022 · 1 comment
Closed

People with orgUnit constraint should only perform read operation on datasets not assigned to an orgUnit #3426

t83714 opened this issue Nov 8, 2022 · 1 comment

Comments

@t83714
Copy link
Contributor

t83714 commented Nov 8, 2022

Description

People with orgUnit constraints should only be able to perform the read operation on datasets not assigned to an orgUnit.

We currently allow people with the orgUnit constraint to perform any granted permissions on datasets not assigned to an orgUnit.

This use case is to grant public users read access to some public datasets.

However, it might potentially allow users from other departments who has been granted edit/update permission to edit / update the datasets.

To solve this issue, we will alter the rule in the policy that only allows read permission can be granted to other users via permissions with the orgUnit constant.

Technical Notes

  • This change won't stop a non-admin user to set a dataset to a public dataset as he should still have the update permission via permission with ownership constraint
  • Once the dataset's orgUnitId is set to empty, users who has only permission orgUnit constraint within the same department as the creator will lose the update / delete permission. If the creator still want to share the update / delete permission within his department, he can create an access group.
t83714 added a commit that referenced this issue Nov 9, 2022
@t83714
#3426 People with orgUnit constraint permission should only be able t…
6a999e2 
…o perform read operation on datasets not assigned to an orgUnit
@t83714 t83714 mentioned this issue Nov 9, 2022
Merged
2 tasks
t83714 added a commit that referenced this issue Nov 9, 2022
@t83714
Merge pull request #3423 from magda-io/issue/3421
588ba63 
#3421, #3426 & #3424 and more...
@t83714
Copy link
Contributor Author

t83714 commented Nov 10, 2022

closed via PR: #3423

@t83714 t83714 closed this as completed Nov 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@t83714