Reviewers, editors and final editors; can submit even in collections with a restricted group of submitters #3849
Comments
|
Thank @DanGastardelli for reporting this. I'm able to verify this on the demo site (https://demo.dspace.org) using the following steps:
Obviously, this seems incorrect, as you don't have SUBMIT privileges. Even though you have special privileges granted on the Collection, it doesn't seem like you should be allowed to submit to it. I'll bring this to the next developers meeting to discuss. https://wiki.lyrasis.org/display/DSPACE/2025-01-23+DSpace+Developers+Meeting |
tdonohue
added
help wanted
|
We discussed this bug in today's Developers Meeting: https://wiki.lyrasis.org/display/DSPACE/2025-01-23+DSpace+Developers+Meeting#id-20250123DSpaceDevelopersMeeting-Notes General consensus was that this definitely is a bug, but it's likely not high priority at this time. The cause of the bug is a lack of specificity to our access controls. Currently, in DSpace, submit privileges are determined based on whether an EPerson has "ADD" privileges given to a specific Collection. The "Submitters" group is never actually checked, but instead is just a way to provide bulk "ADD" privileges to that Collection -- as all members of that group inherit "ADD" privileges. The complication is that Workflow approval roles also require "ADD" privileges on the specific Collection in order to give workflow roles the ability to edit "in-progress" submissions (for the "Editor" and "Final Editor" role). So, this bug exists because both roles need to have ADD privileges. We don't yet have a different privilege type specific to Workflow, which could give Workflow roles permissions to edit existing Submissions but not add new submissions. This may require a larger overhaul of our permissions system, or defining a new privilege type that is specific to workflow roles. At this time, the Committers in the meeting agreed this is a bug. However, it doesn't seem high priority because it likely would not significantly impact many sites. At many institutions, workflow roles go to trusted individuals. In many cases, these same individuals are trusted enough to create submissions on behalf of others, etc. Even if they were to submit to the same collection, their submission would go through the same workflow approval process (and could therefore be rejected by others in the process). Therefore, this permission issue may be unexpected behavior, but it's not seen as a severe bug at this time. Changing to "medium priority". However, still leaving this open for volunteers to investigate, as we would like to start brainstorming ways to fix this confusing behavior. |
tdonohue
added
medium priority
component: workflow
authorization
|
Understood @tdonohue , thanks a lot for the feedback. |
Describe the bug
When having collections with a submitter group and some workflow role group (whether reviewer, editor or final editor), the member of the role group can submit to the collection even without being part of the submitter group. The test was done in versions 7.5, 8.1 and 9.0.
To Reproduce
Steps to reproduce the behavior:
Log in to DSpace;
Create a submitter group and a workflow role;
Include different users in each group;
Log in as one of the users who is only in the chosen workflow group;
Attempt to submit to this collection.
Expected behavior
If the user is only in a workflow role for the collection and is not part of the submitter group, he/she will not be able to submit.
The text was updated successfully, but these errors were encountered: