Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for events inheriting ACL from its series (via different merge modes) #1037

Open
LukasKalbertodt opened this issue Dec 18, 2023 · 1 comment
Open

Add support for events inheriting ACL from its series (via different merge modes) #1037

LukasKalbertodt opened this issue Dec 18, 2023 · 1 comment
Labels
area:auth Authentication and Authorization area:backend Everything backend related area:database The Tobira database area:opencast The Opencast side area:sync Syncing with an Opencast instance kind:new-feature A new feature needs:research Needs research as we are lacking knowledge to make an informed decision

Comments

@LukasKalbertodt
Copy link
Member

We procrastinated this for a long time but we should have support for this ACL mechanism. It's described in these docs.

The way I see it, we have to implement the logic for all possible merge modes. Otherwise we cannot correctly perform authorization as Opencast specifies it. The logic is fairly straight forward, but we have to see whether we "implement it at query time" by making SQL queries and the Meili query more complex, or whether we have a cached "merged" ACL somewhere.

And how do we get the current merge mode? We can force admins to configure it in Tobira, duplicating that value. Or we could somehow transfer it from Opencast to Tobira. Is there an API already maybe?

Random thoughts of mine:

  • The ACL of the series have a dual role then. Its "write" actions are used to see whether people can add videos to a series or edit the series metadata. But the ACLs also might be used for all events. I doubt this is a problem in practice, but it still seems weird to me.
  • In Tobira there is currently not natural way to store "this event has no ACL attached to it". In fact, even the harvest API assumes that this is always the case. We can send an empty ACL but that's different than having non at all, right? And "having none at all" is required for the "override" rule to work at all. Our uploader also needs to support not attaching ACL at all.
  • The Harvest module in Opencats retrieves the event ACLs from the search service. Do we already get ACLs merged by Opencast? And are they updated correctly so that we already have everything working?!
  • The visibility selection to control ACL in the uploader should be configurable #1006 is related, but independent of this. No merge mode inherently disallows specifying ACLs for an event. So if Bern wants events to always have exactly the same ACL as the series, that needs to be a separate toggle.
@LukasKalbertodt LukasKalbertodt added area:backend Everything backend related kind:new-feature A new feature needs:research Needs research as we are lacking knowledge to make an informed decision area:database The Tobira database area:opencast The Opencast side area:sync Syncing with an Opencast instance area:auth Authentication and Authorization labels Dec 18, 2023
@LukasKalbertodt
Copy link
Member Author

It indeed seems like Tobira is already using correctly merged ACLs since the data is retrieved from the search service.

That brings up the question of how the ACL UI for existing events should work. Or well, for the uploader as well. Should it only edit the ACL attached to the event itself? But we somehow have to show users the resulting ACL after merging with the series?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:auth Authentication and Authorization area:backend Everything backend related area:database The Tobira database area:opencast The Opencast side area:sync Syncing with an Opencast instance kind:new-feature A new feature needs:research Needs research as we are lacking knowledge to make an informed decision
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@LukasKalbertodt