Permission problems

Hi all,

I have a setup running based on `kobo_docker`. Form creation in `kpi`
is broken for non-superuser users.
The immediate problem is that the application tries to retrieve a list
of assets by making a request to the `/assets/` endpoint. This request
returns a 403.
In the deployment on kobotoolbox.org, retrieving a read-only list of
assets is possible even for anonymous users. I guess this is due to
the fact that `ANONYMOUS_USER_ID` is set to the id of an existing user
instead of being set to `-1`.
Could you elaborate a bit on how this user is supposed to look like,
which permission he is supposed to have?

I was able to let anonymous users view assets in my local setup too by
setting `ANONYMOUS_USER_ID` to the id of an existing user (that has
the `kpi.view_asset` permission). However, regular, authenticated
users still get the 403 until they have been assigned the
`kpi.view_asset` permission also.

I created my users by POSTing to the `/profiles` endpoint of the
`kobocat` API. I assumed that those users would get all permissions
assigned that are necessary to be functional. This doesn't seem to be
the case. The same is true when I register the users through the
frontend.

I guess authenticated, regular users need all permissions found in
`kpi/fixtures/test_data.json`:

            "user_permissions" : [
               ["add_collection", "kpi", "collection"],
               ["change_collection", "kpi", "collection"],
               ["delete_collection", "kpi", "collection"],
               ["share_collection", "kpi", "collection"],
               ["view_collection", "kpi", "collection"],
               ["add_asset", "kpi", "asset"],
               ["change_asset", "kpi", "asset"],
               ["delete_asset", "kpi", "asset"],
               ["share_asset", "kpi", "asset"],
               ["view_asset", "kpi", "asset"]
            ]

How should I go about this? Do I need to manually assign all users the
necessary permissions, or is there a better way to have KoBo do this
automatically on user creation?

Thanks for your help!

Jesaja

To follow up on this: the problem was due to the user being created using the API. I created a related issue here: https://github.com/kobotoolbox/kobocat/issues/245

The AnonymousUser is created in kpi.models.object_permission.get_anonymous_user so that answers my questions regarding the ANONYMOUS_USER_ID setting.

···

On Thursday, June 30, 2016 at 4:41:09 PM UTC+3, Jesaja Everling wrote:

Hi all,

I have a setup running based on kobo_docker. Form creation in kpi
is broken for non-superuser users.
The immediate problem is that the application tries to retrieve a list
of assets by making a request to the /assets/ endpoint. This request
returns a 403.
In the deployment on kobotoolbox.org, retrieving a read-only list of
assets is possible even for anonymous users. I guess this is due to
the fact that ANONYMOUS_USER_ID is set to the id of an existing user
instead of being set to -1.
Could you elaborate a bit on how this user is supposed to look like,
which permission he is supposed to have?

I was able to let anonymous users view assets in my local setup too by
setting ANONYMOUS_USER_ID to the id of an existing user (that has
the kpi.view_asset permission). However, regular, authenticated
users still get the 403 until they have been assigned the
kpi.view_asset permission also.

I created my users by POSTing to the /profiles endpoint of the
kobocat API. I assumed that those users would get all permissions
assigned that are necessary to be functional. This doesn’t seem to be
the case. The same is true when I register the users through the
frontend.

I guess authenticated, regular users need all permissions found in
kpi/fixtures/test_data.json:

            "user_permissions" : [
               ["add_collection", "kpi", "collection"],
               ["change_collection", "kpi", "collection"],
               ["delete_collection", "kpi", "collection"],
               ["share_collection", "kpi", "collection"],
               ["view_collection", "kpi", "collection"],
               ["add_asset", "kpi", "asset"],
               ["change_asset", "kpi", "asset"],
               ["delete_asset", "kpi", "asset"],
               ["share_asset", "kpi", "asset"],
               ["view_asset", "kpi", "asset"]
            ]

How should I go about this? Do I need to manually assign all users the
necessary permissions, or is there a better way to have KoBo do this
automatically on user creation?

Thanks for your help!

Jesaja