[ome-devel] Group permissions

Josiah Johnston siah at nih.gov
Sat Jan 14 01:31:33 GMT 2006 

Extracted from Bug 618:
	http://bugs.openmicroscopy.org.uk/show_bug.cgi?id=618

Here's my best take on an upgrade script. I'd appreciate it if anyone  
else can look over this before I make the announcement to ome-users.  
Also, any comments on whether this should be rolled into an automated  
database upgrade would be appreciated.

BEGIN;
-- First, set the module_executions' group to the owner's group.
-- This handles most of the cases
UPDATE module_executions SET group_id = experimenters.group_id
WHERE experimenters.attribute_id = module_executions.experimenter_id AND
       module_executions.group_id is NULL;
-- Now, change the group ownership of MEX's that produced experimenters  
to  
-- those experimenter's groups. An experimenter is owned by the admin  
who
-- created it rather than owning itself. Ideally, this shouldn't be  
necessary,
-- but in reality it may be.
UPDATE module_executions SET group_id = experimenters.group_id
WHERE experimenters.module_execution_id =  
module_executions.module_execution_id;
-- Now, change the group ownership of MEX's that produced groups to  
-- those groups.  
UPDATE module_executions SET group_id = groups.attribute_id
WHERE groups.module_execution_id =  
module_executions.module_execution_id;
-- Now, change the group ownership of MEX's that linked experimenters  
to  
-- groups so that the links are visible to the groups.
UPDATE module_executions SET group_id = experimenter_group_map.group_id
WHERE experimenter_group_map.module_execution_id =  
module_executions.module_execution_id;
-- Now, give everyone permission to see repositories. This has the side  
affect
-- of allowing everyone to see what came in during import. That  
includes: the
-- superuser, the superuser's group, and several original files.
UPDATE module_executions set group_id=NULL
WHERE module_executions.module_execution_id =  
repositories.module_execution_id;
-- The final step will not apply universally. It gives everyone  
permission to  
-- see FilenamePatterns, the instructions for stacking images together  
during
-- import based on patterns in their names.
UPDATE module_executions set group_id=NULL
WHERE module_executions.module_execution_id =  
filename_pattern.module_execution_id;
COMMIT;


I changed the command line utility for groups, GroupAdmin.pm, to ensure  
that newly created groups and links between groups are visible to the  
group in question.

Affected files:
OME/src/perl2/OME/Util/Admin/GroupAdmin.pm v. 1.11, 1.12


Because this list may not be complete, I made a change to the web  
interface that allows the super user to edit the experimenter and group  
ownership of MEXs by going to their detailed view page (i.e. click on a  
MEX name in the search page). This will allow fine tuning of unintended  
side-effects.

Affected files:
OME/src/perl2/OME/Web/DBObjDetail/__OME_ModuleExecution.pm v 1.17
OME/src/html/Templates/System/Display/One/OME/ModuleExecution/ 
detail.tmpl v 1.9

I also changed the installation code to set the installation MEX to a  
NULL group (this allows universal visibility for repositories), and the  
MEX of all attributes from CoreXML to a NULL group (overkill to achieve  
universal visibility of FilenamePatterns).

Affected files:
OME/src/perl2/OME/Install/CoreDatabaseTablesTask.pm v 1.108
OME/src/perl2/OME/Tasks/ModuleExecutionManager.pm v 1.17
OME/src/perl2/OME/Tasks/OMEImport.pm v 1.36

-Josiah

More information about the ome-devel mailing list