From 68a37d566f7e24ee374e7264657cbba8668a57ee Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Thu, 5 Dec 2024 16:26:39 -0500 Subject: [PATCH 1/5] feat(manager): grant creation permissions help text --- src/components/manager/access/GrantForm.tsx | 36 +++++-- src/modules/authz/help.tsx | 112 ++++++++++++++++++++ 2 files changed, 137 insertions(+), 11 deletions(-) create mode 100644 src/modules/authz/help.tsx diff --git a/src/components/manager/access/GrantForm.tsx b/src/components/manager/access/GrantForm.tsx index 93270dbe4..711b449aa 100644 --- a/src/components/manager/access/GrantForm.tsx +++ b/src/components/manager/access/GrantForm.tsx @@ -6,6 +6,7 @@ import type { FormInstance, RadioGroupProps, RadioChangeEvent, SelectProps } fro import { RESOURCE_EVERYTHING, useOpenIdConfig } from "bento-auth-js"; import MonospaceText from "@/components/common/MonospaceText"; +import { PERMISSIONS_HELP } from "@/modules/authz/help"; import { useAllPermissions, useGroups } from "@/modules/authz/hooks"; import type { Grant, @@ -491,24 +492,37 @@ const PermissionsInput = ({ id, value, onChange, currentResource, ...rest }: Per const givenBy = pGivenBy[p.id] ?? []; const givenByAnother = givenBy.some((g) => checked.includes(g.id)); const disabled = !permissionCompatibleWithResource(p, currentResource); + const help: ReactNode | undefined = PERMISSIONS_HELP[p.id]; return { value: p.id, label: - !disabled && givenByAnother ? ( + !!help || (!disabled && givenByAnother) ? ( - Given by:{" "} - {givenBy.map((g, gi) => ( - - {g.id} - {gi !== givenBy.length - 1 ? ", " : ""} - - ))} - +
+ {!!help && ( + + {help} + {givenByAnother &&
} + + )} + {givenByAnother && ( + + Given by:{" "} + {givenBy.map((g, gi) => ( + + {g.id} + {gi !== givenBy.length - 1 ? ", " : ""} + + ))} + + )} +
} > - {p.verb} + + {p.verb} + ) : ( {p.verb} diff --git a/src/modules/authz/help.tsx b/src/modules/authz/help.tsx new file mode 100644 index 000000000..a60a58050 --- /dev/null +++ b/src/modules/authz/help.tsx @@ -0,0 +1,112 @@ +import type { ReactNode } from "react"; +import { + analyzeData, + createDataset, + createNotifications, + createProject, + deleteData, + deleteDataset, + deleteDropBox, + deleteProject, + deleteReferenceMaterial, + downloadData, + editDataset, + editPermissions, + editProject, + exportData, + ingestData, + ingestDropBox, + ingestReferenceMaterial, + queryData, + queryDatasetLevelBoolean, + queryDatasetLevelCounts, + queryProjectLevelBoolean, + queryProjectLevelCounts, + viewDropBox, + viewNotifications, + viewPermissions, + viewRuns, +} from "bento-auth-js"; + +export const PERMISSIONS_HELP: Record = { + // data + [queryData]: "Whether the subject can access data records for the resource, e.g. phenotypic metadata, experiments.", + [downloadData]: + "Whether the subject can download data files associated with the resource, e.g., download VCFs and other " + + "experiment results.", + [deleteData]: "Whether the subject can delete data from the resource, e.g., clearing all variants.", + [ingestData]: "Whether the subject can ingest new data into the resource, e.g., adding new biosamples.", + [analyzeData]: "TODO", // TODO + [exportData]: "TODO", // TODO + + // dataset + [editDataset]: + "Whether the subject can edit datasets (title, description, provenance metadata) in the specified node/project " + + "resource.", + [createDataset]: "Whether the subject can create datasets in the specified node/project resource.", + [deleteDataset]: + "Whether the subject can delete datasets from the specified node/project resource. This in turn deletes data " + + "inside the dataset.", + + // dataset_level_boolean + [queryDatasetLevelBoolean]: + "Whether the subject can see low-count-censored yes/no answers about the data at the dataset level. The " + + "low-count threshold is controlled by the resource's discovery configuration file.", + + // dataset_level_counts + [queryDatasetLevelCounts]: + "Whether the subject can see low-count-censored count answers about the data at the dataset level. The low-count " + + "threshold is controlled by the resource's discovery configuration file.", + + // drop_box + [viewDropBox]: + "Whether the subject can see the instance-wide drop box (staging area) for files. This permission is only valid " + + "for the Everything resource.", + [ingestDropBox]: "Whether the subject can upload files / create folders in the drop box.", + [deleteDropBox]: "Whether the subject can delete files / folders from the drop box.", + + // notifications + [viewNotifications]: "TODO", // TODO + [createNotifications]: "TODO", // TODO + + // permissions + [viewPermissions]: + "Whether the subject can view permissions which apply to only this resource, or any sub-resources.", + [editPermissions]: + "Whether the subject can edit permissions which apply to only this resource, or any sub-resources.", + + // private_portal + "view:private_portal": ( + <> + LEGACY PERMISSION. Whether the subject can view the private data portal, as well as POSSIBLY + SENSITIVE data in services which have not been converted to the new Bento authorization system. + + ), + + // project + [editProject]: + "Whether the subject can edit details about the project: title, description, and other provenance metadata.", + [createProject]: "Whether the subject can create a new project in the instance.", + [deleteProject]: "Whether the subject can delete a project from the instance.", + + // project_level_boolean + [queryProjectLevelBoolean]: + "Whether the subject can see low-count-censored yes/no answers about the data at the project level. The " + + "low-count threshold is controlled by the project/instance's discovery configuration file.", + + // project_level_counts + [queryProjectLevelCounts]: + "Whether the subject can see low-count-censored count answers about the data at the project level. The low-count " + + "threshold is controlled by the project/instance's discovery configuration file.", + + // reference_material + [ingestReferenceMaterial]: + "Whether the subject can ingest reference material (genomes, genome features) into the instance. Note that any " + + "reference material ingested is public, and available to anyone including anonymous users.", + [deleteReferenceMaterial]: + "Whether the subject can delete reference material (genomes, genome features) from the instance.", + + // runs + [viewRuns]: + "Whether the subject can view workflow runs. Currently only works when applied to the Everything resource!", +}; From 770be002965b073f6853c688a96798494174e19f Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Thu, 5 Dec 2024 16:33:59 -0500 Subject: [PATCH 2/5] auth notification permissions help --- src/modules/authz/help.tsx | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/modules/authz/help.tsx b/src/modules/authz/help.tsx index a60a58050..fa416cf16 100644 --- a/src/modules/authz/help.tsx +++ b/src/modules/authz/help.tsx @@ -66,8 +66,10 @@ export const PERMISSIONS_HELP: Record = { [deleteDropBox]: "Whether the subject can delete files / folders from the drop box.", // notifications - [viewNotifications]: "TODO", // TODO - [createNotifications]: "TODO", // TODO + [viewNotifications]: + "Whether the subject can view notifications. Currently, this only works on the instance level; any " + + "project/dataset context is ignored.", + [createNotifications]: CURRENTLY UNUSED., // permissions [viewPermissions]: From 9def71630c308122d8ba183ad6064186f27c2096 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Fri, 6 Dec 2024 10:16:26 -0500 Subject: [PATCH 3/5] mark analyze/export data permissions as unused --- src/modules/authz/help.tsx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/modules/authz/help.tsx b/src/modules/authz/help.tsx index fa416cf16..b5d2fd653 100644 --- a/src/modules/authz/help.tsx +++ b/src/modules/authz/help.tsx @@ -36,8 +36,8 @@ export const PERMISSIONS_HELP: Record = { "experiment results.", [deleteData]: "Whether the subject can delete data from the resource, e.g., clearing all variants.", [ingestData]: "Whether the subject can ingest new data into the resource, e.g., adding new biosamples.", - [analyzeData]: "TODO", // TODO - [exportData]: "TODO", // TODO + [analyzeData]: CURRENTLY UNUSED., + [exportData]: CURRENTLY UNUSED., // dataset [editDataset]: From de408a812d9d8ac74139b127650fe970cf6c8b28 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Mon, 9 Dec 2024 10:43:45 -0500 Subject: [PATCH 4/5] chore(manager): tweak help text for permissions --- src/modules/authz/help.tsx | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/modules/authz/help.tsx b/src/modules/authz/help.tsx index b5d2fd653..71c090dfa 100644 --- a/src/modules/authz/help.tsx +++ b/src/modules/authz/help.tsx @@ -72,10 +72,11 @@ export const PERMISSIONS_HELP: Record = { [createNotifications]: CURRENTLY UNUSED., // permissions - [viewPermissions]: - "Whether the subject can view permissions which apply to only this resource, or any sub-resources.", + [viewPermissions]: "Whether the subject can view permissions on this resource, or any given sub-resource.", [editPermissions]: - "Whether the subject can edit permissions which apply to only this resource, or any sub-resources.", + "Whether the subject can edit permissions which apply to only this resource, or any sub-resources. For example, " + + "a user with the edit:permissions permission on just a specific dataset cannot edit grants for the project which " + + "contains this dataset.", // private_portal "view:private_portal": ( From ea513bf01f7ac41538a99b53a4546c9143020c44 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Mon, 9 Dec 2024 10:51:56 -0500 Subject: [PATCH 5/5] chore(manager): better text for edit:permissions again --- src/modules/authz/help.tsx | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/modules/authz/help.tsx b/src/modules/authz/help.tsx index 71c090dfa..5a82b7c62 100644 --- a/src/modules/authz/help.tsx +++ b/src/modules/authz/help.tsx @@ -1,4 +1,5 @@ import type { ReactNode } from "react"; +import { Typography } from "antd"; import { analyzeData, createDataset, @@ -73,10 +74,13 @@ export const PERMISSIONS_HELP: Record = { // permissions [viewPermissions]: "Whether the subject can view permissions on this resource, or any given sub-resource.", - [editPermissions]: - "Whether the subject can edit permissions which apply to only this resource, or any sub-resources. For example, " + - "a user with the edit:permissions permission on just a specific dataset cannot edit grants for the project which " + - "contains this dataset.", + [editPermissions]: ( + <> + Whether the subject can edit permissions which apply to only this resource, or any sub-resources. For example, a + user with the edit:permissions permission on just a specific + dataset cannot edit grants for the project which contains this dataset. + + ), // private_portal "view:private_portal": (