Spike: Data Export logs display in Consortium manager
Description
Environment
Potential Workaround
Attachments
- 25 Mar 2025, 02:47 PM
- 25 Mar 2025, 02:47 PM
Checklist
hideActivity
Vadym Shchekotilin 2 days ago
Hi @Magda Zacharska , thanks for explanation about Data export: Can view only, now it’s clear
Magda Zacharska 2 days ago
Hi @Vadym Shchekotilin - the Data export: Can view only permission does not allow user to trigger export (the drop down area is disabled), the user cannot see the Data export Settings either because that is driven by a separate permission: Settings (Data export): Can view only
The fact that the user with Data export: Can view only permission can download the file already generated is somehow a grey area. It’s true that the user can download but after the download the user can only view the data. I would not file a separate ticket to fix it.
With the above, I don’t think there is any mislabeling of data export permissions.
https://folio-org.atlassian.net/browse/UICONSET-216 is about incorrectly handling tenant level permissions and it should be addressed as you listed in second part of your findings.
Vadym Shchekotilin 3 days ago
Hi @Magda Zacharska,then yes, looks like it’s another bug. Checked on snapshot env:
I added user with only 1 permission:
And I can download files with it:
Magda Zacharska 3 days ago
Hi @Vadym Shchekotilin the Data export: Can view only permissions should not allow users to export/download files. Please refer to https://folio-org.atlassian.net/wiki/x/IABEFQ?atlOrigin=eyJpIjoiNzFkYjljNDIwODJiNGQzNGIwOGE3MjliOWExZGViM2EiLCJwIjoiYyJ9 as the user with this permission should only be able to:
view Data export app
view logs
view Data export profiles in Settings.
If a user with Data export: Can view only can export/download files then there is a bug in the implementation of the permission.
Vadym Shchekotilin 5 days agoEdited
Findings
1. Data Export Module – Permissions Mislabeling
Current permissions:
Data export: Can upload files, export, download files and view logs
Data export: Can view only
Issue:
The "Can view only" permission is misleading, as it still grants the ability to export and download files, in addition to viewing logs.
So potentially we can rename it for calrity to something like (if it makes sense of course):
Data export: Can upload files, export, download files and view logs
Data export: Can export, download files and view logs
2. Consortium manager module – Permission bug
Root cause of the visibility issue:
The code incorrectly uses
hasPerm()from Stripes hook, which checks permissions in general, instead of checking permissions scoped to the specific tenant.There are extra checks for data-export settings permissions in the Consortium manager that are unnecessary and should be removed to simplify and correct permission logic.
Next steps
As problem was investigated, potentially we can fix https://folio-org.atlassian.net/browse/UICONSET-216 bug.
Create another ticket for renaming permissions in data-export (optional)
Details
Details
Assignee
Reporter
Priority
TBD
Investigate the current implementation of data export logs display within the Consortium Manager to determine why permissions set on the Central tenant are incorrectly affecting log visibility for Member tenants.
A more in-depth analysis is also needed, as the current implementation of data-export permissions is far from ideal. The result of this spike should be a re-evaluation of https://folio-org.atlassian.net/browse/UICONSET-216 and additional information on possible solutions.