Edit actions not contextualized based on admin rights

[Bill Tantzen]

In DSpace7, the actions that a logged in user may perform seem not be contextualized according to the admin groups to which they belong, for instance:

When logged in as an eperson with any community admin capacity, that user has the options Edit -> Community, Collection, or Items. The resulting search option is not restricted to the community they have permissions for and instead displays everything, so it appears that they have permission to edit any community, collection, or item, only to receive a 403 permissions error if they try to proceed.

Similarly, an EPerson with community admin rights will see the option to Create a New Item/Collection/Community/Process when logged in. The Create New Collection/Community search will list all collections/communities (including creating a new top-level community) and will let the EPerson fill out the form for creating a new community/collection even if the EPerson does not actually have permission to do so in the selected community. It is not until the EPerson tries to save that new community/collection that DSpace indicates that an access error has occurred, and calls it a "server error" rather than a permissions error.

Finally, users with no admin permissions see the option to Edit Item, with the ability to choose seemingly any item. Selecting the item will then show a 403 permissions error.

Is this correct?  Or have I made an error in my dspace.cfg's authorization system configuration? (This seems to be the behavior on the demo site as well.  I would appear to be able to edit any item there, only to be denied if I attempt to do so).

Essentially I want to know if I have some mis-configuration, or if this is the expected behavior.

Thanks for any advice!

~~Bill

--

Human wheels spin round and round
While the clock keeps the pace... -- John Mellencamp
________________________________________________________________
Bill Tantzen    University of Minnesota Libraries
612-626-9949 (U of M)    612-325-1777 (cell)

[DSpace Technical Support]

Hi Bill,

These are known bugs which still exist in 7.3.  See these bug tickets:

https://github.com/DSpace/dspace-angular/issues/1482

https://github.com/DSpace/dspace-angular/issues/1331

So, these are definitely usability bugs.  While the system does block you from editing anything you don't have rights to edit, it should ideally filter out those objects from these lists.

Tim

[Bill Tantzen]

Thanks, I looked (but overlooked those).

~~Bill

--
All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/064f50d2-98b5-47a9-b721-b525f054dc79n%40googlegroups.com.