[ckan-dev] Cascading permissions in hierarchical organizations

Nigel Babu nigel.babu at okfn.org
Fri Apr 4 07:26:25 UTC 2014 

Hi Ville,

I'm not yet sure about this as well. Besides, selecting another
organization as a parent sounds fine. That way, you're granting another
organization permission. But, when you select another organization as a
child, you're giving yourself permissions into that organization, which
shouldn't be allowed.

I can see how the existing behavior might not be good default either and I
recommend filing a bug so we can investigate if this is planned.

Nigel Babu

Developer  |  @nigelbabu <https://twitter.com/nigelbabu>

The Open Knowledge Foundation <http://okfn.org/>

Empowering through Open Knowledge

http://okfn.org/  |  @okfn <http://twitter.com/OKFN>  |  OKF on
Facebook<https://www.facebook.com/OKFNetwork> |
Blog <http://blog.okfn.org/>  |  Newsletter<http://okfn.org/about/newsletter>

 CKAN | http://ckan.org/ | @CKANproject
<http://twitter.com/CKANproject> |the world’s leading open-source data
portal platform


On 4 April 2014 11:16, Ville Seppänen <ville.seppanen at gofore.com> wrote:

>  Hi Nigel,
>
>
>  It seems ​that the cascading problem seems to be from our part, as we
> have modified the organization and had to integrate the ckanext-hierarchy
> into our extensions. I tried this with a fresh CKAN 2.2 and the
> ckanext-hierarchy, and the problem does not exist there.
>
>
>  However, what still does exist is that a normal user can select any
> organization as the parent organization. This is something I'm not sure is
> it by design or a bug.
>
>
>  -Ville
>
>
>  ------------------------------
> *From:* ckan-dev <ckan-dev-bounces at lists.okfn.org> on behalf of Nigel
> Babu <nigel.babu at okfn.org>
> *Sent:* Friday, April 4, 2014 7:59
> *To:* CKAN Development Discussions
> *Subject:* Re: [ckan-dev] Cascading permissions in hierarchical
> organizations
>
>  Hey Ville,
>
> If you have `ckan.auth.roles_that_cascade_to_sub_groups = admin`, this
> sounds like a bug. Can you please file an issue on github?
>
>  Nigel Babu
>
> Developer  |  @nigelbabu <https://twitter.com/nigelbabu>
>
> The Open Knowledge Foundation <http://okfn.org/>
>
> Empowering through Open Knowledge
>
> http://okfn.org/  |  @okfn <http://twitter.com/OKFN>  |  OKF on Facebook<https://www.facebook.com/OKFNetwork> |
> Blog <http://blog.okfn.org/>  |  Newsletter<http://okfn.org/about/newsletter>
>
>  CKAN | http://ckan.org/ | @CKANproject <http://twitter.com/CKANproject> |the world’s leading open-source data portal platform
>
>
> On 1 April 2014 14:53, Ville Seppänen <ville.seppanen at gofore.com> wrote:
>
>> Hi,
>>
>> I'm trying to enable hierarchical organizations using the
>> ckanext-hierarchy extension and CKAN 2.2. We have a couple of requirements
>> how the permissions should work in our case:
>>
>> - When selecting a parent organization for an organization, a user should
>> only be able to select organizations in which he/she is an admin.
>> - A user who is an admin in an organization, should also be an admin in
>> all its child organizations.
>>
>> However, currently neither is working and I'm not completely sure how
>> this even should work by default. I looked at this issue
>> https://github.com/ckan/ckan/issues/1038 and there's a comment that
>> "cascading permissions has been done".
>>
>> If I create a new organization with a fresh, non-sysadmin user, I can
>> select any existing organization as the parent. Also, the admin of a parent
>> organization does not seem to get any additional rights for child
>> organizations created by someone else.
>>
>> Any ideas how this should work by default, am I missing some
>> configuration or is there a bug?
>>
>> Best Regards,
>> Ville Seppänen
>> _______________________________________________
>> ckan-dev mailing list
>> ckan-dev at lists.okfn.org
>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>>
>
>
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20140404/ed737d52/attachment-0003.html>

More information about the ckan-dev mailing list