http://localhost/ticket/1066 <p> The definition of the 'reader' role includes creating packages, which is too permissive for some CKAN instances (e.g. DGU). 'Reader' suggests only reading, so I think this role should avoid creating and editing. </p> <p> All projects so far want all roles to be able to create users, so this stays as a Reader action for now, as a convenience. </p> <p> Implementation: </p> <ul><li>Action.PACKAGE_CREATE removed from reader's default_role_actions </li><li>Visitor has a new default role, called 'anon_editor' which can edit packages, but not groups / auth groups - you have to log in for that. </li><li>Migration script not needed? </li><li>Code comments written, to make clear the suggested policy </li></ul> en-us http://assets.okfn.org/p/ckan/img/ckan_logo_shortname.png http://localhost/ticket/1066 Trac 0.12.3 dread Fri, 01 Apr 2011 08:08:51 GMT http://localhost/ticket/1066#comment:1 http://localhost/ticket/1066#comment:1 <ul> <li><strong>description</strong> modified (<a href="/ticket/1066?action=diff&amp;version=1">diff</a>) </li> </ul> Ticket dread Mon, 04 Apr 2011 08:04:06 GMT http://localhost/ticket/1066#comment:2 http://localhost/ticket/1066#comment:2 <p> Need a new role 'ANON_EDITOR' which is the default role for Visitor, which can create packages, but not groups. </p> Ticket dread Mon, 04 Apr 2011 09:04:52 GMT http://localhost/ticket/1066#comment:3 http://localhost/ticket/1066#comment:3 <ul> <li><strong>description</strong> modified (<a href="/ticket/1066?action=diff&amp;version=3">diff</a>) </li> </ul> Ticket dread Mon, 04 Apr 2011 15:18:31 GMT http://localhost/ticket/1066#comment:4 http://localhost/ticket/1066#comment:4 <p> Migrations: </p> <ul><li>Default (open) CKAN instances will have visitor as a reader on the system, and will have to upgrade them to anon_editor. </li><li>DGU &amp; DataGM instances have visitor as a reader on system and must stay like that. </li><li>Pudo's specially locked instance, where editor has been changed to only read can now use the 'reader' role (assuming he's happy for them to create users) </li></ul><p> Migration script (37) is designed to cope with the default (open) setup, and the other special cases must be dealt with using CLI at the time of upgrade: </p> <p> DGU &amp; DataGM must run: </p> <pre class="wiki">paster rights remove visitor anon_editor system: paster rights make visitor reader system: </pre> Ticket dread Mon, 04 Apr 2011 15:48:56 GMT http://localhost/ticket/1066#comment:5 http://localhost/ticket/1066#comment:5 <ul> <li><strong>status</strong> changed from <em>new</em> to <em>closed</em> </li> <li><strong>resolution</strong> set to <em>fixed</em> </li> </ul> <p> Done on branch defect-1066-reader-too-permissive and merged into release-1.3.3 </p> Ticket