DataverseNO - Dataset/Dataverse manage permissions fix#12503
Open
qqmyers wants to merge 2 commits into
Open
Conversation
qqmyers
commented
Jul 1, 2026
| <!-- Edit Dataset --> | ||
| <div class="btn-group btn-group-justified" jsf:rendered="#{sessionUserAuthenticated | ||
| and canUpdateDataset}"> | ||
| and (canUpdateDataset or canManageDatasetPermissions or canManageFilesOnDataset)}"> |
Member
Author
There was a problem hiding this comment.
This is the start of the menu, which now shows if you can update or manage dataset/file perms.
qqmyers
commented
Jul 1, 2026
| </p:commandLink> | ||
| </li> | ||
| <ui:fragment rendered="#{permissionsWrapper.canManagePermissions(DatasetPage.dataset) || permissionsWrapper.canManageFilesOnDataset(DatasetPage.dataset)}"> | ||
| <ui:fragment rendered="#{canUpdateDataset}"> |
Member
Author
There was a problem hiding this comment.
The menu items related to updating the dataset now only show with that permission (no changes to the items, just wrapping in the ui:fragment)
qqmyers
commented
Jul 1, 2026
| </ui:fragment> | ||
| <!-- Edit Button --> | ||
| <div class="btn-group" jsf:rendered="#{permissionsWrapper.canIssueUpdateDataverseCommand(DataversePage.dataverse)}"> | ||
| <div class="btn-group" jsf:rendered="#{dataverseSession.user.authenticated and |
Member
Author
There was a problem hiding this comment.
start of menu - added auth user check and then the manageperms option
qqmyers
commented
Jul 1, 2026
| </h:link> | ||
| </li> | ||
| <ui:fragment rendered="#{permissionsWrapper.canManagePermissions(DataversePage.dataverse)}"> | ||
| <ui:fragment |
Member
Author
There was a problem hiding this comment.
Same as for dataset.xhtml - new ui:fragments to decide when to render and no changes to the items themselves.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it: As discussed in #3981 and #12218, the dataset and dataverse pages in the JSF UI only show the Edit menu when the user has the relevant edit permission. However, the menus contains items to allow editing permissions and groups which require only the relevant manage permissions permission to use. DUe to this, users in custom roles who could manage permissions but not edit the dataset/dataverse could only update permissions via API or navigating to the relevant permissions page manually.
This PR adjusts the logic to show the Edit Menu itself whenever any of the list items in it would be allowed (and then includes/omits the relevant items based on the permissions the user has.
Which issue(s) this PR closes:
Special notes for your reviewer:
For the Dataverse page, this also adds a check to see if the user is authenticated before checking their permissions to edit/manage. That's done for other menus and for datasets already - hopefully a minor perf boost.
The bulk of the single line changes are just use of the (mostly) pre-existing ui:params that were not yet being used everywhere. This PR makes changes such as
DataversePage.dataset->dataseteverywhere. If needed, this could be a separate PR, but hopefully AI can do a sanity check on those and any human reviewer can just focus on the changes to the edit menu. I'll mark where those start with comments.Suggestions on how to test this: Regression, plus create a role that has only the Manage<Dataverse, Dataset>Permission permission and not the corresponding Edit<Dataverse, Dataset>Permission and verify that the Edit menu shows and only has the Permission/Group entries.
Does this PR introduce a user interface change? If mockups are available, please link/include them here:
Is there a release notes update needed for this change?: inc.
Additional documentation: