fix(gravsearch): Unify permissions handling with full resource request #1521
Conversation
There was a problem hiding this comment.
I can only approve this PR on the principle, by reading the comments and not the code itself :)
There is a use case I would like to draw your attention to: given the fact that Default Access Object Permission can be defined at property level as well as at resource level, a permission schema like the one that follows is possible :
- define a restricted
Default Access Object Permissionon a resource - define a more open
Default Access Object Permissionon the link property that targets this resource.
For example : given 2 resource classes, Person and Biography, Person having a link property hasBiography on Biography, what do you think would happen if the permissions were set like this:
<http://rdfh.ch/permissions/0000/example-o011> rdf:type knora-admin:DefaultObjectAccessPermission ;
knora-admin:forProject <http://rdfh.ch/projects/0000> ;
knora-admin:forResourceClass example:Biography ;
knora-base:hasPermissions "CR knora-admin:ProjectAdmin|M knora-admin:ProjectMember"^^xsd:string .
<http://rdfh.ch/permissions/0000/example-o012> rdf:type knora-admin:DefaultObjectAccessPermission ;
knora-admin:forProject <http://rdfh.ch/projects/0000> ;
knora-admin:forProperty example:hasBiography ;
knora-base:hasPermissions "CR knora-admin:ProjectAdmin|M knora-admin:ProjectMember|V knora-admin:KnownUser, knora-admin:KnownUser"^^xsd:string .
<http://rdfh.ch/permissions/0000/example-o013> rdf:type knora-admin:DefaultObjectAccessPermission ;
knora-admin:forProject <http://rdfh.ch/projects/0000> ;
knora-admin:forProperty example:hasBiographyValue ;
knora-base:hasPermissions "CR knora-admin:ProjectAdmin|M knora-admin:ProjectMember|V knora-admin:KnownUser, knora-admin:KnownUser"^^xsd:string .
Would the user be allowed to see the link but prevented from accessing the resource itself?
|
@mrivoal Could you please test this PR with your use cases and see if it does what you want? |
benjamingeer
dismissed
mrivoal’s stale review
Review should be based on testing the requested use case.
|
Ok. I will try and do this tomorrow, as it means having an up-to-date stack on my laptop and involve @loicjaouen or @gfoo's help. |
There was a problem hiding this comment.
I tested the use case I was mentioning. An unauthorized user is not allowed to see the restricted resource nor the link property that targets this resource. I think this is a consistent behavior.
If it is useful I can commit my use case, as it is based on Anything ontology.
Hmm, actually in our test, you can see the link value but not the target resource. But I've just now realised that I didn't push the test data for this before leaving Basel...
Yes please, that would be very helpful. |
…urce class (RedThing)
I meant in Salsah and Knora app. If there is a link between 2 resources, the label of the target resource is displayed in the resource which the origin of the link property. If the link was displayed, I guess the label of the target resource would be as well which might be giving too much information for a resource a user is not allowed to access. What I see when I am logged in :
What I see as an UnkwownUser: |
|
I don't know what the SALSAH app does in this case, but the API returns the link value, containing only the IRI of the target resource. This has always been the case (in API v2) when requesting just one resource, and now it is (or should be) the case when you do a Gravsearch query. |
|
Done few tests and it seems to work. Related to @mrivoal example, with my model is Now I can get the Can I consider that if you provide a |
|
please remember to adapt the Gravsearch design docs |
I guess so! |
|
As I was updating the docs for this PR, I've just realised that it produces inconsistent behaviour:
What do you all think of this? Should we replace |
|
I don't really understand why you want to return the IRI of the forbidden target? Is there a particular reason for that? Could we simply return a The new specs will be:
|
Because that's what the We could return |
|
What does the API return if you request the returned (forbidden) IRI? PS. Today is a university holiday and we don't work ;-) |
Sorry, I will stop working immediately. :) |
Good idea, I have an old movie to re-watch :))) https://media.services.cinergy.ch/media/cinemanteaser174x240x2/ce00f79b734ebedb9fcb36dc65cf3fe0a30cf74a.jpg |
I think that there is more consistency problems than I thought, why {
"knora-api:error": "org.knora.webapi.NotFoundException: One or more requested resources were not found (maybe you do not have permission to see them, or they are marked as deleted): <http://rdfh.ch/0113/XiAMcfY2Skis3j1bd-QkmA>",
"@context": {
"knora-api": "http://api.knora.org/ontology/knora-api/v2#"
}
}instead of a Don't know what is the good solution, our first request was to not have a |
|
Can we have |
|
Now that we are saying that we don't try to pretend something doesn't exist if you don't have permission to see it, I don't think We could use So I think we need something like So we have two options: either One thing I don't like about |
|
I guess the easy solution right now, to make things consistent, would be to use |
|
@benjamingeer Is there any pending questions here? are you waiting some feedbacks from us? I cannot descently review your scala code (out of my skills) but about the specs it is fine for me and I refactored my code to follow what you implemented in this branch. About your last remark:
If you are talking about |
Yes, I guess we could do that in a separate PR. I would just need to know whether it would break existing client code. @tobiasschweizer |
So instead of a non successful HTTP response the client would get a 200 with |
|
That’s what I was thinking, does it make sense to you? Do you know if client code would need to be changed? |
I cannot think of any reason why this should be necessary. Instead of a failed HTTP request (non 200 HTTP response) a resource is returned like in all cases of successful responses. I would propose that the integration with the client lib be tested when doing the PR. |
|
in dasch-swiss/knora-api-js-lib, a unit test should be added for this case |
This PR makes Gravsearch filter results according to user permissions in the way that the
/v2/resourcesroute does, as per https://discuss.dasch.swiss/t/change-in-the-way-gravsearch-results-are-filtered-according-to-permissions/111.Fixes #1344
Closes #924