Granular access control

[SteveViss]

• Mangal user has to be authenticated with ORCID to access endpoints.
• users endpoint can only be accessible by admin, access denied for all other user. If the user want to see is profile, the user can use the route /profile
• Each mangal user can have access to their own private datasets and all public datasets.
• Admin can have access to all datasets.

@tpoisot, we have to think about the permissions, procedures (access request).
ex. Can a user ask/request access to a private dataset directly to his owner?

[tpoisot]

I like it. Two comments.

1. Does it also applies below dataset? If anyone can access all interactions, it's easy to reconstruct the private datasets, and so it doesn't make sense.

2. One way to "share" dataset would be for users to create groups and have a list of ORCIDs allowed to view the resources within each group, but that's a whole new thing. Maybe medium-term.

[SteveViss]

@tpoisot:

1. datasets, networks, taxons, interactions, traits, environments are not available by default if it's a private dataset (boolean field public on datasets table). taxa_backbone, attributes are shareable among users. (Don't forget, taxons table contains the original taxa name from the dataset and taxa_back is the taxonomy backbone table, mapping taxa against EOL, BISON, GBIF etc...)

2. Yes, to do it, I'll have to create a join table between users and datasets (n:n relationship). Many users can have access to many datasets. We can have this functionnality on the 2.2 or later release.

Edit: Not prioritaries features - change for v3

[SteveViss]

Prioritaries features:

• Change fkey user in dataset for maintainer.
• Admin role can consume any ressources (with full methods) on all datasets
• Maintainer can POST/PUT/DELETE only on his datasets

[SteveViss]

New features:

• Users authenticate by token can PUT/POST
• Users without token authentification can only GET

[tpoisot]

On peut faire sans put/post -- pour le moment on va faire du read only.