#238: WebSubmit: Fix or phase out "User_is_Record_Owner_or_Curator.py" function
-------------------------+--------------------------------------------------
Reporter: jcaffaro | Owner:
Type: enhancement | Status: new
Priority: minor | Milestone:
Component: WebSubmit | Version:
Keywords: |
-------------------------+--------------------------------------------------
Function User_is_Record_Owner_or_Curator.py does not bring more than what
is already possible to do with WebAccess and Is_Original_Submitter.py
function. In addition its name is misleading.
User_is_Record_Owner_or_Curator.py was apparently designed to let two
types of users modify a record (MBI):
1) original submitter (found in metadata)
2) curator (linked to WebAccess action "submit", for current WebSubmit
action (eg. MBI), doctype (eg. DEMOART) and category), a super-users group
that can modify any record handled by the submission.
The problem is that as soon as an authorization is added for the curators,
the original submitters can no longer enter the submission to make
modifications, as WebSubmit does not see them linked to the MBI action of
this submission. To let original submitters in, they must be linked to the
"submit" action, for MBI and adequate doctype. However as soon as this is
done, submitters are seen as curators of the submissions, and can edit any
record. The same protection can be achieved by simply removing the
function and keeping the authorizations...
To have the function behaves as expected, acc_authorize_action() should
not be run on action "submit", but for eg. on "curate" (or
"submit_curate", or "supersubmit", or ?).
--
Ticket URL: <http://invenio-software.org/ticket/238>
Invenio <http://invenio-software.org>
