Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Classification user groups authorization policies #27

Merged
merged 24 commits into from
Sep 7, 2023

Conversation

yuenmichelle1
Copy link
Collaborator

@yuenmichelle1 yuenmichelle1 commented Aug 25, 2023

Introduces classification user group authorization policies. See wiki for Authorizations info https://github.com/zooniverse/eras/wiki/API-Callout-Examples#authorizations-1

But if you do not feel like clicking ^ link, see below:

Authentication

Dependent on what you are querying. See below for more info

Authorizations

Permissions are dependent on 3 factors (unless you are a panoptes_admin, then you have full permission):

  1. what stats requests you are querying from ERAS (group aggregate stats vs individual stats breakdown),
  2. the user group's stats visibility level,
  3. and who you are related to the group

If you are querying group aggregate stats (i.e. individual_stats_breakdown is false or not a parameter in your request):

  • If the user_group's stats visibility level is public_show_all
    • anyone can view these stats (No auth required)
  • If the user_group's stats visibility level is public_agg_show_ind_if_member
    • anyone can view these stats (No auth required)
  • If the user_group's stats visibility level is public_agg_only
    • anyone can view these stats (No auth required)
  • If the user_group's stats visibility level is private_show_agg_and_ind
    • querying user is either a group_admin or a group_member (Auth required)
  • If the user_group's stats visibility level is private_agg_only
    • querying user is either a group_admin or a group_member (Auth required)

If you are querying individual stats breakdown (i.e. individual_stats_breakdown is true):

  • If the user_group's stats visibility level is public_show_all
    • anyone can view these stats (No auth required)
  • If the user_group's stats visibility level is public_agg_show_ind_if_member
    • Only group_members and group_admins can see these stats (Auth required)
  • If the user_group's stats visibility level is public_agg_only
    • querying user is a group_admin (Auth required)
  • If the user_group's stats visibility level is private_show_agg_and_ind
    • querying user is either a group_admin or a group_member (Auth required)
  • If the user_group's stats visibility level is private_agg_only
    • querying user is either a group_admin (Auth required)

@yuenmichelle1 yuenmichelle1 marked this pull request as ready for review August 25, 2023 17:39
@yuenmichelle1 yuenmichelle1 requested a review from zwolf August 25, 2023 17:39
@yuenmichelle1 yuenmichelle1 reopened this Aug 25, 2023
@yuenmichelle1 yuenmichelle1 force-pushed the classification-user-groups-authorization-policies branch from d94c25f to 6c5c679 Compare August 25, 2023 21:37

def queried_user_group
url = "/user_groups/#{params[:id]}"
panoptes_application_client.panoptes.get(url)['user_groups'][0]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These calls out to panoptes can be memoized in order to prevent repeats by adding @queried_user_group ||= to the return line. It doesn't seem like either one of these get called more than once intentionally, but it's something to keep in mind so that you don't repeat API requests unnecessarily.

spec/support/authentication_helpers.rb Outdated Show resolved Hide resolved
memberships_url = "/memberships?user_id=#{classification_user_group.user_id}&user_group_id=#{classification_user_group.user_group_id}"

@user_client_with_membership = double(Panoptes::Client, me: me_hash).tap do |client|
allow(client).to receive(:is_a?).and_return(false)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this protecting against? Does something ask the client this somewhere?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah..we don't need this line. We are not asking the the client this anywhere.

@yuenmichelle1 yuenmichelle1 merged commit da72ace into main Sep 7, 2023
3 checks passed
@yuenmichelle1 yuenmichelle1 deleted the classification-user-groups-authorization-policies branch September 15, 2023 16:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants