[GeoNode-users] Other issues on the visibility of private groups

Simone Dalmasso simone.dalmasso at gmail.com
Tue May 19 23:04:16 PDT 2015 

Alessandro and Francesco, thanks a lot for the detailed feedback. The
people page needs some work also in terms of performance as there's still
some post processing that slows down the API .he missing pagination in the
UI is a big regression.
I agree with the groups issues as well. Could you turn this into a ticket?

2015-05-20 7:33 GMT+02:00 Francesco Bartoli <xbartolone at gmail.com>:

> Hi Alessandro,
>
> my point of view inline.
>
> Regards,
> Francesco
>
> Il giorno 20/mag/2015, alle ore 00:54, Alessandro Sarretta <
> alessandro.sarretta at gmail.com> ha scritto:
>
>  Dear all,
> I'm writing here before adding a comment on github to ask you confirmation
> or some issues I'm encountering.
>
> Two general question:
>
>    - I've seen that there is no more a "registered" users group where the
>    users are assigned by default. Is this correct? I think it should be useful
>    to have it to differentiate permissions between non-registered and
>    registered users.
>    - in the "Explore people" page I can only see the first 20 people, but
>    there is no way to move to the following pages. Changing in the URL
>    (.../people/?limit=20&offset=0) the "limit" from 20 to something bigger can
>    solve the problem, but it seems clear there's something missing in that
>    page.
>
> Then, playing around with groups and members, I found some other
> inconsistencies in the visibility of groups and members (issue 1784
> <https://github.com/GeoNode/geonode/issues/1784>), in particular looking
> in the profile page (http://geonodewebsite/people/profile/xxx). I'm
> explaining them here in detail hoping this could help in solving the issue:
>
>    1. A user can always see which group he's member of (ok)
>     2. When a group is public, users can always see if another user is
>    member of that group (ok)
>    3. When a group is private, users in general can't see if another user
>    is member of that group, (ok)
>    4. If a user is a member of a private group, he can't see if another
>    user is member of that group (non sure about the correctness of this, but I
>    would say that it should be possible)
>
> In general it depends. From a security perspective that should be possible
> based on the role and privileges kept by the user inside the group. Long
> story short in the corse-grained authorization model (manager, not manager)
> only the manager should be able to see other members even if this
> potentially could be a choice (role in such specific group with visibility
> of members) but here we would be treating a fine-grained authorization
> model and I don’t think is the use case of the current groups functionality
> IMHO
>
>
>    1.
>    2. If a manager of a private group looks in the profile pages of
>    members of that group, he can't see if those users are members of the group
>    (in my opinion this is not correct)
>
> I’m with you
>
>
>    1. The previous behaviour is the same even if the manager is also
>    superuser (again I think this is not correct).
>
> It’s a consequence of the previous point
>
>
>
> Just to add a last information on that, a non registered user now can see
> everything (all groups and their members) in the "Explore Groups" page,
> even if the groups are private (and this is the issue 1784), but he can't
> see anything about membership in the user profile page (and this is
> correct).
> The only difference between a non-registered user and a registered one in
> the profile page is that the registered user can see a "Group" header, but
> without anything below (see attached images).
>  Let me know whether you have the same issues and if it's ok to report
> them in github.
> Thank you,
>
> Ale
>
>  --
>
> Alessandro Sarretta
>
> skype/twitter: alesarrett
> Web: ilsarrett.wordpress.com
>
> Research information:
>
>    - Google scholar profile
>    <http://scholar.google.it/citations?user=IsyXargAAAAJ&hl=it>
>    - ORCID <http://orcid.org/0000-0002-1475-8686>
>    - Research Gate
>    <https://www.researchgate.net/profile/Alessandro_Sarretta>
>    - <small.png> <https://impactstory.org/AlessandroSarretta>
>
>   <registered.png><nonRegistered.png>
> _______________________________________________
> geonode-users mailing list
> geonode-users at lists.osgeo.org
> http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users
>
>
>
> _______________________________________________
> geonode-users mailing list
> geonode-users at lists.osgeo.org
> http://lists.osgeo.org/cgi-bin/mailman/listinfo/geonode-users
>
>


-- 
Simone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20150520/09bfdb58/attachment.html>

More information about the geonode-users mailing list