added the configurable ability to restrict generation of a given coho…

…rt to only persons who have been granted permission to change the same cohort.
OHDSI · May 9, 2024 · 0493316 · pieterlukasse · May 10, 2024 · 0493316
1 parent 8396b4d
commit 0493316
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 11 deletions.
diff --git a/js/components/security/access/configure-access-modal.html b/js/components/security/access/configure-access-modal.html
@@ -92,19 +92,20 @@
 		<label data-bind="css: classes('new-access-label'), text: ko.i18n('common.configureAccessModal.globalReadStatus', 'Status of global READ access:')"></label>
 		<div/>
 		<div class="btn-group" data-toggle="buttons">
-		    <label data-bind="css: { active: shareFlag() },
-				      click: function () { shareFlag(true); revokeGlobalReadAccess();},
+		    <label data-bind="css: { active: !shareFlag()},
+				      click: function () { shareFlag(false); grantGlobalReadAccess();},
 				      clickBubble: false,
-				      text: ko.i18n('common.configureAccessModal.globalReadStatusNotGranted', 'Not Granted')
+				      text: ko.i18n('common.configureAccessModal.globalReadStatusNotGranted', 'Granted')
 				      "
 			   class="btn btn-primary",		   
 		    />
-		    <label data-bind="css: { active: !shareFlag() }, 
-				      click: function () { shareFlag(false); grantGlobalReadAccess();},
+		    <label data-bind="css: { 
+				      active: shareFlag()}, 
+				      click: function () { shareFlag(true); revokeGlobalReadAccess();},
 				      clickBubble: false,
-				      text: ko.i18n('common.configureAccessModal.globalReadStatusIsGranted', 'Granted')
+				      text: ko.i18n('common.configureAccessModal.globalReadStatusIsGranted', 'Not Granted')
 				      " 
-			   class="btn btn-primary",		   
+			   class="btn btn-primary",		   		   
 		    />
 		</div>	
 	    </div>

diff --git a/js/components/security/access/configure-access-modal.js b/js/components/security/access/configure-access-modal.js
@@ -156,7 +156,7 @@ define([
 		    this.isLoading(true);
 		    try {
 			console.log('grantGlobalReadAccess  function  called to grant read permissions!! shareflag: ' + this.shareFlag());
-			await this.grantAccessFn('1','READ'); // 16 is the 'public' role, a SYSTEM role every user should have
+			await this.grantAccessFn('1','READ'); // 1 is the 'public' role, a SYSTEM role every user should have
 			await this.loadAccessList();
 		    } catch (ex) {
 			console.log(ex);
@@ -168,7 +168,7 @@ define([
 		    this.isLoading(true);
 		    try {
 			console.log('revokeGlobalReadAccess  function  called to REVOKE read permissions!! shareflag: ' + this.shareFlag());
-			await this.revokeAccessFn('1','READ'); // 16 is the 'public' role, a SYSTEM role every user should have
+			await this.revokeAccessFn('1','READ'); // 1 is the 'public' role, a SYSTEM role every user should have
 			await this.loadAccessList();
 		    } catch (ex) {
 			console.log(ex);

diff --git a/js/services/AuthAPI.js b/js/services/AuthAPI.js
@@ -407,8 +407,18 @@ define(function(require, exports) {
     }
 
     var isPermittedGenerateCohort = function(cohortId, sourceKey) {
-        return isPermitted('cohortdefinition:' + cohortId + ':generate:' + sourceKey + ':get') &&
-            isPermitted('cohortdefinition:' + cohortId + ':info:get');
+	var v = isPermitted('cohortdefinition:' + cohortId + ':generate:' + sourceKey + ':get') &&
+		isPermitted('cohortdefinition:' + cohortId + ':info:get');
+
+	// By default, everyone can generate any artifact they have
+	// permission to read. If a permissionManagementRoleId has
+	// been assigned, (non- empty string assignment), the default
+	// generate functionality is not desired. Rather, users will have to
+	// have a role that allows them to update the specific cohort definition. 
+	if (config.permissionManagementRoleId !== ""){
+	    v = v && isPermitted('cohortdefinition:' + cohortId + ':put')
+	}
+        return v
     }
 
     var isPermittedReadCohortReport = function(cohortId, sourceKey) {