Discussion around permissions

[joncison]

Original issues was "No permissions class set on ServiceViewSet"

[joncison]

Good to check systematically for all models.

[bryan-brancotte]

Do we want or not want permissions ?

[joncison]

I'll paste the current permissions for the different models in a comment below, so that @hmenager can take a look and confirm he's happy with them.

[joncison]

This is the current state, some changes are needed I think:

PubliclyReadableEditableByOwner
Everyone can see, authenticated users can create, but only owner can update/delete.

• UserProfile
• NewsItem
• Event
• TrainingEvent
• Trainer
• TrainingEventMetrics
• EventSponsor
• Organisation,
• Project
• ComputingFacility
• TrainingMaterial
• Team
• BioinformaticsTeam
• Service
• ServiceSubmission

PubliclyReadableEditableByCoordinator
Currently just IsAuthenticatedOrReadOnly, owner_field is set to "coordinator", but no permissions logic is defined (coding needed!)

• ElixirPlatform

PubliclyReadableByUsers
Everyone can see, but no one (other than superuser) can update/delete.

• Keyword
• EventPrerequisite
• Community

[joncison]

Good to have a discussion about this tomorrow cc @bryan-brancotte @hmenager.

Some thoughts:

• Keyword: on one hand it'd be nice to allow users to create these, on the other hand, allowing this would mean a (messy) folksonomy that would need to be managed (with continual changes to database). One could start with a bunch of keywords, and provide an endpoint where users can request a new Keyword (or is that OTT)? PS. keywords are used by BioinformaticsTeam, TrainingMaterial, Event, TrainingEvent.
• EventPrerequisite: probably want users to be able to create these? It's more variable / less like a controlled vocabulary than Keyword
• ElixirPlatform: only superuser should be able to create or edit these (see Check that only superuser can create, edit or delete ElixirPlatform & Community objects #25)
• Community: probably only superuser should be able to create these (see Check that only superuser can create, edit or delete ElixirPlatform & Community objects #25), but the community "coordinator" should be able to edit (new field needed! See Consider adding a field to relate Person to Community #95)

Beyond that, it could be really nice if, somehow (user groups?), specific people or persons could also have edit permissions set automatically:

• Event, TrainingEvent: person identified by contactId field
• TrainingEvent: people identified by trainerId field of TrainingEvent->Trainer object(s)
• Project: people identified by members field of Project->Team object
• ComputingFacility: people identified by members field of ComputingFacility->Team object
• Service: people identified by members field of Service->BioinformaticsTeam object
• Team, BioinformaticsTeam: people identified by members field of (Bioinformatics)Team object
• ServiceSubmission people identified by authors and submitters fields

[bryan-brancotte]

I created and used permissions as needed here before. I did not adresse any question raised by "Some thoughts:"

TrainingEventMetricsViewSet is PubliclyReadable, is it ok ? Should'nt it be kept private ?

[joncison]

Yup - TrainingEventMetricsViewSet should def. be private!

[bryan-brancotte]

subsumed by #155