Filter cohorts and concepts by permission

[rkboyce]

No description provided.

[chrisknoll]

This method has changed in a backwards breaking way, I think we should leave the existing method alone and add a new one that takes the /role as a param. It looks like the default action is write, so we could include a new route that takes role, and call a common method that takes role as params:

listAccessForEntity(...) {
  listAccessForEntityRole(..., AccessType.Write)
}

listAccessForEntityRole(...) {
  /// this method takes the implemnetation for listAccessesForEntity but now handles the role type
}

Also, the param type for role param could be a AccessType enum, but would have to experiment if the /{role} as /WRITE would map properly to the enum.

[chrisknoll]

Also, there's some overloading of terms 'role' where in this context, it is 'READ', 'WRITE' for 'role' but in other places we have 'Admin' as a role and 'Atlas User' as a role...but the latter roles maps to a shiro 'group' (which you assign permissions to'....we could probably interchange groups and roles, however, the AccessType is neither a group or a role...so...I don't have a solution here, just pointing out the differences in context.

It's almost like we're talking about a 'permission type' .. permission to read, permission to write.

[rkboyce]

I addressed this the overloading of the 'role' string by using 'permType' as the parameter. The function name is now listAccessesForEntityByPermType used for the /access/{entityType}/{entityId}/{permType} endpoint with WRITE as the default permission type sent from the client. This distinguishes it from listAccessesForEntity which is used for the /access/suggest endpoint. I did not get a chance to test if the AccessType enum would work instead of string "READ" and "WRITE".

[chrisknoll]

@rkboyce , I noticed when we did the walkthrough and we enabled the filter on the server, the asset list returned nothing until I created a new asset and it got the read perm assigned to it. I wanted to ask: have we thought about considering 'read access' if you have write? This way, if we enable it, anything I've been granted write access will appear, plus anything that someone grants me read access to. Basically the filter becomes if (canRead || canWrite| then show item. Is that possible or was there a reason why we had to explicitly look for the granted permission? The only reason why I bring this is that it seems if you can write to something then you can also read it...

[rkboyce]

In response to the last comment about "have we thought about considering 'read access' if you have write" -- yes, it is implemented that way and seems to function correctly based on my tests.

This updated draft pull request implements the READ permissions filtering across all the following applications in Atlas:

• concept sets
• Cohort definition
• Cohort characterization
• Incident Rates
• Estimation
• Prediction

All have functioned as expected : things are not accessible to a user unless 1) they create the entity (which sets READ and WRITE), or 2) they are given READ permission to the entity

NOTE: These changes will need to come with a new system role that the admins could select which I am calling the 'Read Restricted Atlas User' role. I think the following query could be the basis for adding SQL to flyway to create this role:

select distinct sp.*
from ohdsi.sec_role_permission srp 
  inner join ohdsi.sec_permission sp on srp.permission_id = sp.id 
where srp.role_id in (6,10) -- 'cohort reader', 'Atlas Users'
 and sp.value not in 
    (  
    	'conceptset:*:get',
    	'conceptset:*:expression:get',
    	'conceptset:*:version:*:expression:get',    	       
    	--
        'cohortdefinition:*:get',
        'cohortdefinition:*:info:get',
        'cohortdefinition:*:version:get',
        'cohortdefinition:*:version:*:get',        
        --        
	        'cohort-characterization:*:get',
                'cohort-characterization:*:generation:get',
		'cohort-characterization:generation:*:get',
		'cohort-characterization:design:get',
		'cohort-characterization:*:design:get',
		'cohort-characterization:design:*:get',
		'cohort-characterization:*:version:get',
		'cohort-characterization:*:version:*:get',
		--
		'pathway-analysis:*:get',
		'pathway-analysis:*:generation:get',
		'pathway-analysis:generation:*:get',
		'pathway-analysis:generation:*:result:get',
		'pathway-analysis:generation:*:design:get',
		'pathway-analysis:*:version:get',
		'pathway-analysis:*:version:*:get'
		--
		'ir:*:get',
		'ir:*:copy:get',
		'ir:*:info:get',
		'ir:*:design:get',
		'ir:*:version:get',
		'ir:*:version:*:get'
		--		
		'estimation:*:get',
		'estimation:*:copy:get',
		'estimation:*:download:get',
		'estimation:*:export:get',
		'estimation:*:generation:get'
               'comparativecohortanalysis:*:get',
		--
		'prediction:*:get',
		'prediction:*:copy:get',
		'prediction:*:download:get',
		'prediction:*:export:get',
		'prediction:*:generation:get',
		'prediction:*:exists:get',
                'plp:*:get'
    )
order by sp.value 
;

[chrisknoll]

We should default this to true, and rely on settings.xml to override this setting. This will maintain current behavior between versions.

[rkboyce]

corrected now and tested that setting the variable false in the WebAPIConfig/settings.xml works

[chrisknoll]

This is a place wehre we want to have proper stayle: defaultGlobalReadPermissions

[rkboyce]

corrected

[chrisknoll]

I believe this was mentioned before but you can put the filter conditional in the stream expression:

      return StreamSupport.stream(service.getAnalysisList().spliterator(), false)
	.filter(!defaultglobalreadpermissions  ? candidateEstimation -> permissionService.hasReadAccess(candidateEstimation) : candidateEstimation -> true)
	.map(analysis -> {
	    EstimationShortDTO dto = conversionService.convert(analysis, EstimationShortDTO.class);
	    permissionService.fillWriteAccess(analysis, dto);
	    permissionService.fillReadAccess(analysis, dto);
	    return dto;
	  })
	.collect(Collectors.toList());

[chrisknoll]

For backwards compatibility, you should maintain the endpoint /access/entityType/entityId, tho this will default to the perm type of 'WRITE'. So, revert this change to leave listAccessForEntity, but have this function call over to 'listAccessForEntityByPermType) with the perType paramater as AccessType.WRITE. In addition, i believe permType should be the enum, not the string, but will need to do some tests if the Java REST api will automatically serialize the ENUM input. The issue is that you could pass a perm type of 'BlahBlah' and it will assume that is 'READ' via the else statement.

[chrisknoll]

use conditional filter here.

[chrisknoll]

use conditional filter here.

[chrisknoll]

use conditional filter here, will simplify code so that you only have the one getTransactionTemplarte() call, but within the stream you filter conditionally before mapping.

[rkboyce]

A detail worth mentioning - were were curious what would happen if a person without read access knew the URL to an entity and tried a GET. I tested as follows:

1. logged in as an admin, created a brand new entity (did it for a few types e.g., cohort definition, estimation, etc)

2. copied the URL

3. logged out from the admin account and logged in to a user account without access to the entity

4. put the URL in the browser

The result is an empty page with no message at all. The server simply returns a 403 with an empty body in the response. Atlas renders nothing. So, I think it is Ok for now.

[chrisknoll]

Yes, that's fine. Ok, if you're done with your part, I will merge this into a new feature branch under WebAPI so I can put in the final changes. Let me know if you are ready for me to do that.

Merging into feature branch in WebAPI.

[rkboyce]

All good here!

[chrisknoll]

The new PRs are ready, if you could pull both the Atlas and WebAPI branches, @rkboyce , and give it a shot in your local env, and report in the other PR threads if it is good or if you found issues. Thanks.