-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Tagging] Permissions for Taxonomies List Page and Taxonomy Detail Page #129
Comments
@jmakowski1123 Would you review this ticket's description when you get the chance please? I think you and Jill discussed permissions in some depth. |
@bradenmacdonald I've asked Jenna to review this ticket as she is more up to speed on the permissions as I am. For what it's worth, everything outlined in "Acceptance Criteria" matches my understanding.
I agree with your point on #105 i.e. that if a user can view a taxonomy, they should be able to export/download it. |
Does this cover the use case of: I'm an org-level administrator for HarvardX on edX.org and I want to import a taxonomy for HarvardX. Because I'm just part of HarvardX and not edX.org staff, I only have access to HarvardX on the edX.org platform. ...? In other words, are instance-level superusers/global staff equal to org-level admins? In the context of the new R&P framework edX is working on, the "Org Admin" should also have all editing permissions for taxonomies, right @bryan-kersten? However this role doesn't exist yet, so how does the HarvardX use case above work in practice in the interim? https://docs.google.com/spreadsheets/d/1htsV0eWq5-y96DZ5A245ukfZ4_qeH0KjHVaOyfqD8OA/edit#gid=908503896
|
@jmakowski1123 My understanding was that for MVP only global admins (not org admins) would be editing. In other words, for MVP, if a HarvardX admin wanted to import a new taxonomy, they'd have to ask an edx.org admin to import it for them and link it to HarvardX. If we need to include org-level admins as editors though it's no problem - but that's not what's shown in the mockups.
I'm surprised it says that because the existing |
@jmakowski1123 For (2) I think there are other reasons an instructor may wish to download (export) a taxonomy besides editing it and re-uploading it. For example, they may wish to upload the taxonomy to a sandbox or another Open edX instance where they are an admin, or write some scripts that use the taxonomy to tag their content automatically, or train some machine learning models, or other advanced usage like that. However, for MVP we can certainly just say "you can export if you can import" if you want, instead of "you can export if you can view". Either way is just as simple from a technical perspective. The only thing is I think we talked about letting users export system-defined taxonomies, for advanced use cases like I mentioned, and it doesn't make sense to allow that in this case, since they cannot be imported. |
After discussing this with @jmakowski1123 I have updated it: org-level admins will have broad editing abilities just like global staff, but within their own org. And export perms will be the same as view perms, for the benefit of power users that want to use scripts to manipulate taxonomies or content. |
Agreed. The view taxonomy permission is the REST DETAIL one used in the CRUD, not if the user will actually view the ObjectTags within this taxonomy associated with the object. But should we filter out disabled taxonomies in the GET ObjectTag endpoint? |
@rpenido Yes, I think we should. We keep the data from deleted taxonomies, but we don't display the tags to users. |
Is there an explicit role for studio access? Or this is a user that has any of the following roles:
If it is the latter, the other rules will cover 3.
These "users" are from the rules 6, 7 and 8, right? Am I missing something? |
You're right, I don't think there is an explicit role for Studio access. So the other rules cover #3.
I'm not sure what you're asking here.. but another way to say this is "5. Users who are not global staff ("instance-level admins") or org-level staff ("org-level admins") can only see enabled taxonomies." From what I understand from reading this ticket:
@jmakowski1123 @bradenmacdonald is this ^ correct? |
Thank you for the answers, @pomegranited!
I'm asking because I'm assuming that regular users (who are not part of 6, 7, or 8) will not access the Taxonomy Admin Interface to see a Taxonomy list or detail (these permissions are used in the Taxonomy CRUD). They will probably use the ObjectTag endpoint to see Tags and values applied to a Course, not a Taxonomy Detail or Taxonomy List. Should we leave the View Taxonomy of enabled taxonomies open or any logged user anyway? This doesn't seem right. We limit instructors to see only taxonomies from their organization, and let the regular user see any enabled taxonomy. |
@rpenido I'm not sure.. will have to let the Braden or Jenna confirm. |
Ok! Thank you @pomegranited! 😃 |
You are right, there actually is no Studio access role. So for now we can make it so that any registered user can view enabled taxonomies that are part of all orgs. But in the tests and rule definitions, it would be good to put a comment that says our preferred rule would be "Any user with access to Studio can see enabled taxonomies that are part of [“all orgs”]", but because there is currently no "has studio access" permission, we are going with "any registered user" for now.
Yes, this is just emphasizing that the users from 6, 7, 8 as well as 3, can never see disabled taxonomies. Technically this rule isn't necessary because it is implied by the other rules, but I think it's helpful to include it as a separate test, which is why I listed it separately.
Not really. Regular users (non-admins) can only see enabled taxonomies that are linked to one of their orgs (6, 7, 8) or that are linked to "all orgs".
Yes
Not quite. Only admins can view disabled taxonomies so it's easy to determine who can view a disabled taxonomy with an org attached - only instance-level admins or org-level admins for that specific org. The rules from (6, 7, 8) don't apply to disabled taxonomies.
You are right about the first part - users who aren't part of 6, 7, 8 will not be using taxonomy features at all. However, they also won't be using the ObjectTag endpoints either. (You are right that maybe in the future Learners may "use the ObjectTag endpoint to see Tags and values applied to a Course", but we're not supporting about that use case for the MVP. The MVP is focused only on course authors in Studio.) Generally only admins and course authors (i.e. 6, 7, 8) will be using the tagging APIs. Learners won't be using these APIs at all. If some random learner uses the API, they would be able to see the enabled "all orgs" taxonomies, but that's only because we don't have a way to properly implement rule 3 ("only users with studio access..."). Just to be clear, this ticket is only talking about API permissions for now, though the UI permissions will be the same.
See previous answers. A random/regular user can only view enabled "all orgs" taxonomies, and that's only because we can't properly implement rule 3 yet. If a taxonomy is linked to an org, only people who are associated with that org (2, 6, 7, 8) can view it; regular users cannot. |
Here's another way to describe it, by taxonomy type. Maybe this is clearer?
|
Thank you for the clarification! |
@bradenmacdonald CC @pomegranited |
@rpenido Course Creator just means you have permission to create a new course in Studio, and it's a fairly low-level permission that many people have. On some instances it's also disabled, so anyone can create courses without needing special permission. |
We were checking permissions using a user in the tests with this role before. Your comments clarified the issue for me. Thank you @bradenmacdonald ! |
Acceptance Criteria
Who can view taxonomies:
includes seeing all tags and metadata. Does not necessarily allow the user to view
ObjectTag
s using the taxonomy though.OrgStaffRole
) can see all taxonomies that are linked to their organization (enabled and disabled).OrgInstructorRole
,OrgContentCreatorRole
, orOrgLibraryUserRole
) can see any of that org's enabled taxonomies.CourseStaffRole
orCourseInstructorRole
) belonging to an org can see that org’s enabled taxonomies.CAN_VIEW_THIS_CONTENT_LIBRARY
) can view that org's enabled taxonomies.This applies to the Taxonomies List Page as well as the Taxonomy Detail Page, though it must be implemented on the backend, not the frontend.
Who can export taxonomies
Who can edit taxonomies:
OrgStaffRole
) can do the following for taxonomies that are linked to their org:Who can view ObjectTags
Because of how the taxonomy permissions are defined, we don't really need to check if the user has permission to view the Taxonomy. Generally if the user can see the object, they'll be able to see the associated taxonomies. In the future we may extend these permissions to say that you can only view an ObjectTag if you can view the content object and you can view the taxonomy, but for now we only need to check the content object.
Who can edit ObjectTags
Developer Notes
can_export_taxonomy
permission should be defined as equal to thecan_view_taxonomy
permission.The text was updated successfully, but these errors were encountered: