Checking the permission of the user before he/she saves a data package to metacat
Currently morpho uploads data files first, then the eml document.
On moropho, a user adds a data file to an eml document on which he doesn't have WRITE permission. Then the user tries to save the new data package into a metacat. The data file will be upload successfully since it was inserting. But the eml updating will fail. In this case, the data file object only can be accessible by the user himself. The data file was stranded.
We can added a checking permission before user saving the data package. I talked with Mike and he told me that metacat 1.9.2 has new an API named isAuthorized. It takes three parameters: permission, resourceId and sessionid. It will check if the sessionid has the permission on the resourceID. Sounds like morpho can call this method before saving to metacat.
#1 Updated by ben leinfelder almost 11 years ago
Jing phrased the bug report in terms of verifying that a user has write permission before saving anything to metacat. Sounds reasonable, but the problem we recently encountered was more complicated. Shirley did have write permission, but not changePermission permission. So I believe she should have been able to upload a modified EML doc so long as no access rules are modified. Can the isAuthorized API deal with those nuances?
Incidentally, my initial thought the other day was that Shirley couldn't save the EML doc after importing new tables in Morpho because the act of importing the tables caused access rules to be written/re-written in the EML doc. But I just diff'ed nceas.961.4 (the one she started with) and nceas.961.9 (the one she tried to save), and I don't see any differences to the access rules. Why the permission error then? Is it not just whether an explicit access rule changed in the EML doc, but whether an access rule has to be set/changed somewhere in metacat?