Task #1769 (closed)
Permissions : Handle admin/PI viewing/annotating in private group
|Reported by:||jamoore||Owned by:||jamoore|
|Cc:||atarkowska, jburel||Remaining Time:||n.a.|
Description (last modified by jmoore) (diff)
This ticket is a part of #1434
A system or group administrator who views or attempts to annotate data belonging in a private or non-member group may break group-based security settings for the owner.
- make objects belong to admins public
- -1 since objects would appear as disembodied hands for non-owners.
- make annotations/rendering settings/thumbnails belong to the owner (or the group in the case of a shared group which the admin is not a member of))
- -1 since objects would suddenly appear to the owner as his/her own.
- make the session read-only (with special handling for rendering settings and thumbnails)
- add a flag or other marker to allow user-reading of such data.
- Dicussion: an "AsAdmin" flag would mark any object which was created via admin privilege, so that when a PI annotates in a shared group, there is no flag but in a private group, there is. Then if the PI-user is removed as an owner or the admin is removed from the "system" group, the object would still be marked as special.
- Would need special handling on down- (and up-?) grades of permissions.
- Is this identical to making public above? (probably unless we record the owner of the linked object in a new column)