[GeoNode-users] Other issues on the visibility of private groups
xbartolone at gmail.com
Tue May 19 22:33:18 PDT 2015
my point of view inline.
Il giorno 20/mag/2015, alle ore 00:54, Alessandro Sarretta <alessandro.sarretta at gmail.com> ha scritto:
> Dear all,
> I'm writing here before adding a comment on github to ask you confirmation or some issues I'm encountering.
> Two general question:
> I've seen that there is no more a "registered" users group where the users are assigned by default. Is this correct? I think it should be useful to have it to differentiate permissions between non-registered and registered users.
> in the "Explore people" page I can only see the first 20 people, but there is no way to move to the following pages. Changing in the URL (.../people/?limit=20&offset=0) the "limit" from 20 to something bigger can solve the problem, but it seems clear there's something missing in that page.
> Then, playing around with groups and members, I found some other inconsistencies in the visibility of groups and members (issue 1784), in particular looking in the profile page (http://geonodewebsite/people/profile/xxx). I'm explaining them here in detail hoping this could help in solving the issue:
> A user can always see which group he's member of (ok)
> When a group is public, users can always see if another user is member of that group (ok)
> When a group is private, users in general can't see if another user is member of that group, (ok)
> If a user is a member of a private group, he can't see if another user is member of that group (non sure about the correctness of this, but I would say that it should be possible)
In general it depends. From a security perspective that should be possible based on the role and privileges kept by the user inside the group. Long story short in the corse-grained authorization model (manager, not manager) only the manager should be able to see other members even if this potentially could be a choice (role in such specific group with visibility of members) but here we would be treating a fine-grained authorization model and I don’t think is the use case of the current groups functionality IMHO
> If a manager of a private group looks in the profile pages of members of that group, he can't see if those users are members of the group (in my opinion this is not correct)
I’m with you
> The previous behaviour is the same even if the manager is also superuser (again I think this is not correct).
It’s a consequence of the previous point
> Just to add a last information on that, a non registered user now can see everything (all groups and their members) in the "Explore Groups" page, even if the groups are private (and this is the issue 1784), but he can't see anything about membership in the user profile page (and this is correct).
> The only difference between a non-registered user and a registered one in the profile page is that the registered user can see a "Group" header, but without anything below (see attached images).
> Let me know whether you have the same issues and if it's ok to report them in github.
> Thank you,
> Alessandro Sarretta
> skype/twitter: alesarrett
> Web: ilsarrett.wordpress.com
> Research information:
> Google scholar profile
> Research Gate
> geonode-users mailing list
> geonode-users at lists.osgeo.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the geonode-users