Idea : if read permissions are filtered, users will want to make some artifacts public

[rkboyce]

Issue #2222 discussed the idea of making read permissions controlled more granular (see below). An implication might be that a user would like a simple way to make a given artifact publicly viewable (readable to all other users). Without some additional work to that proposed in #2222, the user would have to manually select every other user of the system to grant read access. Thus, it might be appropriate to add the ability to do so with a single check box (or other ui element) in the user interface.

The implications would be as follows:

• there would be a need for a new system role that is granted to every user, that is not easily deleted, and that would initially be have no permissions assigned. As users select to make their artifacts public, the read permission for each artifact would be added to the TBD role and thereby make it possible for all users to see the artifact in lists such as the concept set or cohort lists.

flowchart LR
    A[design artifact] -->|edit| B(save)
    B --> |edit| C{write access}
    C -->|group| E[all users in a  group]
    C -->|user| F[single user]
    B --> |edit| D{read access}
    D -->|public| G[global read]
    D -->|group| H[all users in a  group]
    D -->|user| I[single user]

Loading

NOTE: In Atlas, this could be implemented by change the modal form presented after clicking the the lock icon present in the concept set expression view to allow the user to edit both read and write access:

[rkboyce]

Based on discussion and review of the code the current code in PermissionService.java and the security.model.* might not honor the :*:get as a global permission. So, we might not have an simple way to establish global permissions. Requires further review and testing to decide on a design.

[chrisknoll]

Once you do your review, we may just need to apply the * pattern to the permission string, but keeping in mind that the logic of the code says if you have 2 permissions from the templates, that you must have those 2 permissions found in the user's permission for the role. The problem is that when we add the * check, it's not an 'all' anymore, it's either-or (either you have the direct permission to the entity (by ID) or you were granted all permissions to all entities (by *) and when we're looking for our matches, we can't say 'all' anymore (ie: must have the permission by ID and by *), but i'm not sure the 'by any' would work here either (ie: you get one permission by *, the other by ID, and as long as you have both, you pass the role check).

It's a complicated thing, we just need to completely understand the check and then understand how using the 'by Id' / 'by *' check impacts the logic.