Skip to content

DataverseNO - Dataset/Dataverse manage permissions fix#12503

Open
qqmyers wants to merge 2 commits into
IQSS:developfrom
GlobalDataverseCommunityConsortium:DNO/allowCollectionPermEditOnly
Open

DataverseNO - Dataset/Dataverse manage permissions fix#12503
qqmyers wants to merge 2 commits into
IQSS:developfrom
GlobalDataverseCommunityConsortium:DNO/allowCollectionPermEditOnly

Conversation

@qqmyers

@qqmyers qqmyers commented Jul 1, 2026

Copy link
Copy Markdown
Member

What this PR does / why we need it: As discussed in #3981 and #12218, the dataset and dataverse pages in the JSF UI only show the Edit menu when the user has the relevant edit permission. However, the menus contains items to allow editing permissions and groups which require only the relevant manage permissions permission to use. DUe to this, users in custom roles who could manage permissions but not edit the dataset/dataverse could only update permissions via API or navigating to the relevant permissions page manually.

This PR adjusts the logic to show the Edit Menu itself whenever any of the list items in it would be allowed (and then includes/omits the relevant items based on the permissions the user has.

Which issue(s) this PR closes:

Special notes for your reviewer:

For the Dataverse page, this also adds a check to see if the user is authenticated before checking their permissions to edit/manage. That's done for other menus and for datasets already - hopefully a minor perf boost.

The bulk of the single line changes are just use of the (mostly) pre-existing ui:params that were not yet being used everywhere. This PR makes changes such as DataversePage.dataset -> dataset everywhere. If needed, this could be a separate PR, but hopefully AI can do a sanity check on those and any human reviewer can just focus on the changes to the edit menu. I'll mark where those start with comments.

Suggestions on how to test this: Regression, plus create a role that has only the Manage<Dataverse, Dataset>Permission permission and not the corresponding Edit<Dataverse, Dataset>Permission and verify that the Edit menu shows and only has the Permission/Group entries.

Does this PR introduce a user interface change? If mockups are available, please link/include them here:

Is there a release notes update needed for this change?: inc.

Additional documentation:

@qqmyers qqmyers added Size: 10 A percentage of a sprint. 7 hours. GDCC: DataverseNO labels Jul 1, 2026
@qqmyers qqmyers moved this to Ready for Triage in IQSS Dataverse Project Jul 1, 2026
@qqmyers qqmyers added this to the 6.12 milestone Jul 1, 2026
<!-- Edit Dataset -->
<div class="btn-group btn-group-justified" jsf:rendered="#{sessionUserAuthenticated
and canUpdateDataset}">
and (canUpdateDataset or canManageDatasetPermissions or canManageFilesOnDataset)}">

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the start of the menu, which now shows if you can update or manage dataset/file perms.

</p:commandLink>
</li>
<ui:fragment rendered="#{permissionsWrapper.canManagePermissions(DatasetPage.dataset) || permissionsWrapper.canManageFilesOnDataset(DatasetPage.dataset)}">
<ui:fragment rendered="#{canUpdateDataset}">

@qqmyers qqmyers Jul 1, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The menu items related to updating the dataset now only show with that permission (no changes to the items, just wrapping in the ui:fragment)

</ui:fragment>
<!-- Edit Button -->
<div class="btn-group" jsf:rendered="#{permissionsWrapper.canIssueUpdateDataverseCommand(DataversePage.dataverse)}">
<div class="btn-group" jsf:rendered="#{dataverseSession.user.authenticated and

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

start of menu - added auth user check and then the manageperms option

</h:link>
</li>
<ui:fragment rendered="#{permissionsWrapper.canManagePermissions(DataversePage.dataverse)}">
<ui:fragment

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as for dataset.xhtml - new ui:fragments to decide when to render and no changes to the items themselves.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

GDCC: DataverseNO Size: 10 A percentage of a sprint. 7 hours.

Projects

Status: Ready for Triage

1 participant