User permission

[jillpe]

Summary

The following user ends up with permissions to add to all collections and should not have that.

Accepted Criteria

• The user above only has permission to add to the following collections

[bkiahstroud]

The user above only has permission to add to the following collections

@jillpe the language above implies there should be a list of approved collections the user can add to. Do we have that list anywhere?

[jillpe]

No, but I will get clarification (I'm pretty sure it's just the collection they created)

[bkiahstroud]

Notes

1. [email protected] is a member of the managers-pomona group

Screenshot

---

2. Two Hyrax::CollectionTypeParticpant records exist for [email protected]. The existence of these records are what grant this user :create and :manage access to all newly created User Collections

pp Hyrax::CollectionTypeParticipant.where(agent_id: "[email protected]")
[#<Hyrax::CollectionTypeParticipant:0x000055c96d7a37d0
  id: 8,
  hyrax_collection_type_id: 2,
  agent_type: "user",
  agent_id: "[email protected]",
  access: "manage",
  created_at: Wed, 14 Jul 2021 16:17:20 UTC +00:00,
  updated_at: Wed, 14 Jul 2021 16:17:20 UTC +00:00>,
 #<Hyrax::CollectionTypeParticipant:0x000055c96d7a35a0
  id: 9,
  hyrax_collection_type_id: 2,
  agent_type: "user",
  agent_id: "[email protected]",
  access: "create",
  created_at: Wed, 14 Jul 2021 16:17:38 UTC +00:00,
  updated_at: Wed, 14 Jul 2021 16:17:38 UTC +00:00>]

---

3. Stats

• Number of Collections user has access to: 1,340

Hyrax::PermissionTemplateAccess.where(agent_id: "[email protected]")

• Number of Collections user has created: 224

Collection.where(depositor: '[email protected]')

• Number of Collections user has access to that they did not create: 1,116 (1,340 - 224)

---

Proposed Solution

• Delete the 2 Hyrax::CollectionTypeParticipant records

Implementation

ctp = Hyrax::CollectionTypeParticipant.where(agent_id: '[email protected]')
ctp.count == 2 ? ctp.map(&:destroy) : puts 'deleting unexpected records'

• Revoke [email protected]'s access from all collections they have individual access to that they did not create¹

Implementation

resp = ActiveFedora::SolrService.get(
  'has_model_ssim:Collection',
  fq: 'depositor_ssim:[email protected]',
  fl: 'id',
  rows: 1_000
)
good_ids = resp.dig('response', 'docs').pluck('id')
total_access_count = Hyrax::PermissionTemplateAccess.where(agent_id: "[email protected]").count
superfluous_accesses = Hyrax::PermissionTemplateAccess
                         .joins(:permission_template)
                         .where(agent_id: "[email protected]")
                         .where
                         .not(permission_templates: { source_id: good_ids })
bad_permission_templates = superfluous_accesses.map(&:permission_template);nil

if (total_access_count - good_ids.size) == superfluous_accesses.count
  superfluous_accesses.destroy_all
else
  puts "error: counts don't match"
end

bad_permission_templates.each do |permission_template|
  begin
    collection = permission_template.collection
    permission_template.reset_access_controls_for(collection: collection)
  rescue Hyrax::ObjectNotFoundError => e
    puts "PermissionTemplate #{permission_template.id} is for an AdminSet. No need to call #reset_access_controls_for. Skipping..."
    next
  end
end

¹ Note that they are in the managers-pomona group, so they should still retain access to all collections that group has been granted access to

[bkiahstroud]

On hold pending approval from the client to move forward with the Proposed Solution (see previous comment)

[dswalker]

This sounds good to me, Kiah. I approve.

[bkiahstroud]

The user in question should no longer have access to collections they did not create, nor should they be granted access to every newly created collection moving forward

[aprilrieger]

@dswalker will review and test and provide feedback.