Versions Compared

Old Version 12

changes.mady.by.user Andrea Bollini (4Science)

Saved on

compared with

New Version Current

changes.mady.by.user Tim Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Managing Authorization info in Angular UIHow to pass Authorization rights (i.e. logged in user's access rights) from REST API to Angular?  See for example: https://github.com/DSpace/dspace-angular/issues/393
    1. Can this be achieved via passed HAL "_links" (e.g. the existence of an "edit" link in REST response means you must have Edit rights)?
    2. In July 25 meeting, we noted this probably cannot be resolved with just one simple solution. May need to look at different options for different scenarios
      1. Also likely to need to store/cache a user's Groups in UI layer, as some areas (e.g. Administrative) require knowledge of user group membership
  2. REST API Projections: 
    Jira
    serverDuraSpace JIRA
    serverIdc815ca92-fd23-34c2-8fe3-956808caf8c5
    keyDS-3533
    1. Early work begun at https://github.com/DSpace/DSpace/pull/1847.  Discussed in more detail in our Aug 22 meeting.  Overall, this approach seems like a good direction, need volunteers to move it forward.
      1. https://github.com/DSpace/Rest7Contract/issues/2 (discussion resumed by Andrea Bollini (4Science) could be relevant for the projection)
  3. Initial Performance Testing from Chris.
    1. https://cwilper.github.io/dspace-perftest/
  4. (REST Contract) Edit Homepage News: https://github.com/DSpace/Rest7Contract/pull/45
    1. Delayed until after Preview release. General agreement (in meeting on March 21, 2019) that storing HTML in metadata fields is not really ideal behavior.  Metadata (from a librarian standpoint) tends to be free of format-related markup (as that allows for easier sharing, understanding of metadata.  Currently Community & Collection homepage information is HTML-based and is stored in metadata that is appropriate for a minor subset of information (like the title) but it is better to move large/rich text to bitstreams.  
    2. Proposal here is to consider storing HTML-based markup (for Site, Community & Collection homepages) in Bitstream(s) associated with the object in question.  May allow for more CMS-lite behavior in the future
    3. Timeline for this is uncertain.  Possibly in 7 or 8. May depend on how/whether it can be scoped.
  5. Concurrency in DSpace 7 (or 8).  What do we want to do when multiple editors are editing the same object?  Needs further analysis regarding implementation details
    1. We've decided (in meeting on March 7, 2019) to use ETags to implement concurrency. REST Contract notes on ETags: https://github.com/DSpace/Rest7Contract#etags--conditional-headers
    2. ETags only update of the two fields match. If someone edits first, your edit would fail and you would get a fail response (422?)
    3. ETags seems to have broader support in other REST APIs.  Recommended also by both Art and Andrea.

Notes

  • Discussion of managing Authorization in DSpace 7.
    • Some specific use cases / needs require multiple authorization checks.  For example, Moving an Item requires permissions on both the Item itself and the Collection you are moving it to. 
    • Ideally, we all agree that the Angular UI should know as little about resource policies / authorization as it needs to.  Longer term, it'd be great to be able to essentially ask the REST API "can I move this item to this collection?" and get a response which lets the Angular UI know whether to display that "move" button.  However, that sort of logic will require backend refactoring of the Authorization system...and it'd be out of scope for DSpace 7.
    • For DSpace 7, we'll need to use an approach similar to DSpace 6...where unfortunately the UI will need to have more "understanding" of which permissions to check, and in some scenarios it might need to do multiple queries....e.g. moving an Item may require two queries...first, can this user edit the Item? second, can this user Add to the Collection?
    • Andrea notes we may be able to use HTTP OPTIONS method to do some of these requests.  It's purpose is to return what HTTP actions you can perform (so, it'll say whether you have permissions to GET, POST, PUT, PATCH or DELETE).  Some examples: https://codedestine.com/rest-options-restful-web-services/
    • Ben notes that sounds good, but in some scenarios there's not an easy "mapping" of an HTTP action to a permission level.  For example, withdrawing an item or moving an item don't map very well necessarily.
    • There's also the problem of permission inheritance.  Admins don't have explicit ResourcePolicy permissions on all objects, but inherit implicit permissions based on being a member of the Administrator Group.  This implicit/explicit permission checking is performed in our AuthorizeService: https://github.com/DSpace/DSpace/blob/master/dspace-api/src/main/java/org/dspace/authorize/AuthorizeServiceImpl.java
    • Should we be creating an endpoint that simply maps to the functionality of AuthorizeService?
    • Next Steps:  Andrea will draft a REST Contract for next week
      • Atmire will provide some example use cases for that REST Contract to take into account
      • We will analyze this again next week to see how best to implement on REST Side
        • Lieven notes that simplifying the REST side can sometimes make things harder on the Angular side.  Tim agrees, and notes that next week's discussion will be about finding the right balance for DSpace 7.
  • Meeting ended.