Ticket #1066 (new enhancement) — at Version 3

Opened 3 years ago

Last modified 3 years ago

Default reader role too permissive

Reported by: dread Owned by: dread
Priority: major Milestone: ckan-v1.4-sprint-5
Component: ckan Keywords:
Cc: Repository: ckan
Theme: none

Description (last modified by dread) (diff)

The definition of the 'reader' role includes creating packages, which is too permissive for some CKAN instances (e.g. DGU). 'Reader' suggests only reading, so I think this role should avoid creating and editing.

All projects so far want all roles to be able to create users, so this stays as a Reader action for now, as a convenience.

Implementation:

  • Action.PACKAGE_CREATE removed from reader's default_role_actions
  • Visitor has a new default role, called 'anon_editor' which can edit packages, but not groups / auth groups - you have to log in for that.
  • Migration script not needed?
  • Code comments written, to make clear the suggested policy

Change History

comment:1 Changed 3 years ago by dread

  • Description modified (diff)

comment:2 Changed 3 years ago by dread

Need a new role 'ANON_EDITOR' which is the default role for Visitor, which can create packages, but not groups.

comment:3 Changed 3 years ago by dread

  • Description modified (diff)
Note: See TracTickets for help on using tickets.