Skip to content

Introduce variable roles per different transects

As an API user, I want to be able to define different sets of roles for different transects. Regular user for some transects can have admin role for some other transects.

Estimation

  • (3h) Create join entity user-role-transect

  • (0h) Visibility (repositories): should not change as visibility for transect-related entities is still determined by the user assignment to the transect, not the role

  • (1 day) Permissions to edit / create

    • TmdRolePermissions mapping - transect access cannot be controlled here, because there is no context of logged in user
    • must be controlled via some service in validators (or UpdateAllowedTrait) / for every entity (transect, section, sectionEvent, inspection, observation)
    • UserService must be modified to take transects into account

  • (0h) Check TransectUserHistory (seems there should be no change, as all required data in regard of transect is there)

  • (2 days) Tests - possibly big impact on tests

  • These are the guidelines, solution is not crystal clear. Rough estimation: 3,5 days.

Description

When a user has a role RegionalCoordinator, it must be possible to assign transect where the user has coordinator privileges. Coordinator privileges on a transect means that the user has permissions over assigned transects, as specified in https://confluence.digitalearth-hgf.de/display/RMMP/Rollen+und+Rechtekonzept

AC

  • entity RegionalCoordinator is implemented (with relations to User and Transect)
  • when a record is added to RegionalCoordinator, user RegionalCoordinator is automatically added to the user
  • when all the records for specific user are deleted from RegionalCoordinator table, role RegionalCoordinator is removed from that user
  • when a record is added to RegionalCoordinator, user is added to transect-user relation
  • when a record is removed from RegionalCoordinator, user-transect relation on Transect is deleted
  • user-transect combination in RegionalCoordinator is unique (validation)
  • on updating transect there is additional check if the user is coordinator for that transect
    • this validation is applied to all transect-dependant entities (Inspection, SectionEvent, Section, Observation)
  • admin and project lead can add and remove RegionalCoordinator
  • Tests

Additional points:

  • Die Fehlermeldung ist verwirrend, wenn man einen landcoordinator ohne rechte erstellen will: user: User must have a role Land Coordinator
    • behavior is changed, there is no more check if the user has the role (roles will be automatically assigned)
  • Es existiert kein Constraint für LandCoordinator. Man kann mehrmal das selbe Bundesland eintragen. (ist das gewollt)
    • added unique constraints to LandCoordinator and SpeciesSpecialist
  • Ich bekomme "Access Denied." bei mutation deleteLandCoordinator ($input: deleteLandCoordinatorInput!) { als "message": "Access denied to modify property landCoordinators of User"
    • Permissions granted
  • Auch werden die Werte für icc2 nicht validiert. Man kann alles mögliches eingeben.
    • Will not be implemented at this point

Review

  • entity RegionalCoordinator is implemented (with relations to User and Transect)
  • when a record is added to RegionalCoordinator, user RegionalCoordinator is automatically added to the user
  • when all the records for specific user are deleted from RegionalCoordinator table, role RegionalCoordinator is removed from that user
  • when a record is added to RegionalCoordinator, user is added to transect-user relation
  • when a record is removed from RegionalCoordinator, user-transect relation on Transect is deleted
  • user-transect combination in RegionalCoordinator is unique (validation)
  • on updating transect there is additional check if the user is coordinator for that transect
    • this validation is applied to all transect-dependant entities (Inspection, SectionEvent, Section, Observation)
  • admin and project lead can add and remove RegionalCoordinator
  • Tests

Additional points:

  • Die Fehlermeldung ist verwirrend, wenn man einen landcoordinator ohne rechte erstellen will: user: User must have a role Land Coordinator
    • behavior is changed, there is no more check if the user has the role (roles will be automatically assigned)
  • Es existiert kein Constraint für LandCoordinator. Man kann mehrmal das selbe Bundesland eintragen. (ist das gewollt)
    • added unique constraints to LandCoordinator and SpeciesSpecialist
  • Ich bekomme "Access Denied." bei mutation deleteLandCoordinator ($input: deleteLandCoordinatorInput!) { als "message": "Access denied to modify property landCoordinators of User"
    • Permissions granted
  • Auch werden die Werte für icc2 nicht validiert. Man kann alles mögliches eingeben.
    • Will not be implemented at this point
Edited by Michael Voigt

A HIFIS Service | Privacy | Imprint | Support | Documentation | Changelog