Implement host and user profile permissions

Parent: [EPIC] Host and User Profile Managment (aura#41 - closed)

Compare and implement permission requirements in

• [STORY] As a user I want an UI to manage my ava... (dashboard#86 - closed)
• [STORY] As a ProKo I want a simple way to creat... (dashboard#219 - closed)
• [STORY] as a user I want blocked fields in the ... (dashboard#298 - closed)

Proposal

Requirements can be found below, provided by @fm_margarethem.

changed milestone to %1.0-alpha5 — Capable Capybara

added P2 label

assigned to @eigenwijsje

mentioned in issue aura#41 (closed)

marked this issue as related to dashboard#86 (closed)

marked this issue as related to dashboard#219 (closed)

changed the description

added To Do label

added time estimate of 12h

mentioned in issue dashboard#219 (closed)

added size:s label

added size:m label and removed size:s label

added Cycle [3/24] label

added Doing label and removed To Do label

changed title from Implement user and host profile permissions to Implement host and user profile permissions

added 1h 10m of time spent

added 2h 30m of time spent

added Cycle [4/24] label

added ready-for-testing label and removed Doing label

added 4h 30m of time spent

requirements update

Since the mentioned tickets disperse the information a bit, here again an overview of the requirements for the permissions regarding the user profile section:

items that are relevant for permissions are:

• name, surname
• username
• email
• links
• cba username & token
• biography
• associated user accounts
• user image/avatar
• profile activation

the expectance horizon for permissions in this section is:

• dashboard-area "Profiles" should be hidden for users who are not in the programme coordinator group (cc @kmohrf )
• If a user is superuser or member of the programme coordinator group, all items in the "my account" and "profiles" section should be editable.
• if a user is host or host+ then the "Profiles" section should NOT be visible. In the "my account" section, the following items should NOT be editable: username, name, email, profile activation, CBA key & token

@fm_margarethem awaits answers from ProKos' testing if this list should be extended.

UPDATE 1.7.2024: RH ProKo opts that name / username / email is non-editable for hosts, because those are hard facts that get fixed with the radiomaker's contract (Sendevereinbarung) and changing them would require an agreement from the radio administration.

test results

First rounds of testing (on dashboard.aura.radio done on 24.-26.6.24) showed that the current state mismatches the expectance horizon in the following points:

"my account" section

• as a user in the programme coordinator group I can not edit the items in my own account section

(expected: I can edit everything)

Profiles section

• as a user in the programme coordinator group I can only edit all items in the user profile (name, email, bio, image, link etc) but NOT the items in the associated account

(expected: I should be able to edit everything)

test results for host and host+

profiles section

• As a member of the host group I can view the profiles section (expected: "profiles" should be hidden)

"my account" section

• As a member of the host group I can edit all the info in "my account" (username, name, email, cba key& token). expected: I should not be allowed to edit anything.

I'll update / add to this comment and create subtickets accordingly (cc @kmohrf @eigenwijsje ). Thanks

screenshots of current test results

Thank you for the overview!

One thing I'd like to add: In my understanding, the Host+ Role should also be able to create profiles on-the-fly. That means some dedicated permission should be provided for that and assigned to the Host+ group.

Please let me know when the new permission is ready and what I should add to the documentation.

I think the permission you ask for is already existing. To my understanding, the following permission string grants permission to create hosts (i.e. their profiles):

program.add_host

When this is granted to the host+ group, their users should be able to create new host profiles. There are further permissions for program.edit_host, program.add_hostlink and program.edit_host_image/name/etc... which handle the editing of the single profile items such as name etc. Those permissions are now granted to the programme coordinator group only.

@david you can add to the documentation that host+ can create hosts, and programme coordinator can create and edit hosts and edit host details (name, mail, bio, image, link).

@eigenwijsje please correct me if I described something wrong here :)

Please note we decided to replace the term "host" in favor of "profile". As long we are not talking about the "host role". I've already updated these terms in the docs, as part of aura#206 (closed).

@fm_margarethem awaits answers from ProKos' testing if this list should be extended.

There is actually no need to enquiry ProKo input.

I've updated the permission table in the docs with defaults for "user" and "profile" entitities. With the combination of these permissions radios can configure whatever they need.

@fm_margarethem @eigenwijsje Can you please review and confirm this is correct?

---

What's missing though: Role "Host" should not be able to create profiles on the fly. Only role "Host+" is able to do that by default. What I need from @eigenwijsje:

• What are the correct terms of the permissions to create and edit profiles? How to describe it best?
• Can you either confirm this is the default already, or change in a way that it is the default?

i can confirm the table. for the other questions, let's clarify with @eigenwijsje

changed the description

One question that came up during testing:

host / host+ users should not have access to the complete profiles section, because they do not need or should not access all the other users' data. BUT, if this section is completely hidden, in the current state of dashboard hosts/host+ then do not have any option in dashboard to change their own profile info (bio, weblink, image).

How do we make this info accessible /editable for host/+ users? One option I'd see is keeping the "Profiles" menu visible for host/host+ members and only show the one profile that this user is owner of (= means, I only see my own profile and not a list). Another option would be to display the profile info (weblink, image, bio) as part of the "my account" page, so users can see & edit their profile info from there (which would feel more natural from a UX perspective, I'd think).

@kmohrf @david what's your opinion towards this?

After discussion with @eigenwijsje we agreed to come back to the initial scope of this ticket, which is the implementation of the host and user profile permissions in steering. I ran a series of tests to check the availability and functioning of the permissions. (Dashboard response and the questions on updating the permission group settings are already present in other tickets) Here are my results:

Workflow

With a user who is member of the host group, I logged into dashboard.aura.radio. Provided permissions: see attached screenshot. I opened the "my account" section and checked availability, response and behaviour of the requested fields. To check technical functioning, I un- and re-assigned several field-level permissions for the host profile, to see if fields were (un)blocked as expected. One example on what I did in detail:

• assign field-level permissions to edit ONLY the biography, image and host link fields. (expectance: name and email should be blocked from editing, other fields should accept input). the relevant permission strings are:

results

When editing the host profile, all fields behave as expected, except for the "host link". "host link" is blocked for edit even though all available permissions for it are assigned. This may be caused by an error in steering, or a missing permission that has to be implemented. See screenshot:

after the latest testing on 3.7.24 on dashboard.aura.radio, permissions for the "links" field now work, and other permissions do as well. a new field-level permission has been implemented and has been added to the corresponding groups on dashboard.aura.radio. thus I'll close this ticket.

marked this issue as related to dashboard#298 (closed)

fyi - for the dashboard's display of permissions in the host & user profile section, I've created dashboard#298 (closed)

changed the description

added To Do label and removed ready-for-testing label

closed

removed To Do label

reopened

added To Do label

...re-opening because during test of the permission groups on dashboard.aura.radio I found some things that I obviously overlooked before, soooorry

Here are my test reports:

Observation

Despite having all available permissions for editing the "user profile", editing of the fields (forename, surname, email) is not allowed. The only field-level permissions that work correctly are the ones for CBA username & CBA token.

steps to reproduce

1. assign host+ or ProKo group membership to a user
2. log into dashboard.aura.radio and try editing the User Profile section

notes / hints

Group permission settings were checked and are correct (all available permissions are given). When checking in the steering backend, I noticed that some field-level permissions are not available / not implemented: "name", "surname", "email". I guess this is the reason why editing fails even though the general permission for editing the model is given. I made a screenshot of the total list of currently available permissions for the user profile:

for additional info I attach the browser console output for the permission strings from testing with a host+ group account (which holds the same permissions regarding the user profile as the ProKo group does).

closing this ticket, since field-level edit permissions for the profile are not part of the requirements any more. (this should be static info only to be edited by admins)

closed

removed To Do label

added 25m of time spent