Stream: community

Topic: Loophole : from Curator to Admin

view this post on Zulip luddaniel (May 15 2024 at 16:12):

Out of curiosity, I was wondering if there is a loophole in Curator role :
You have the permission AddDataverse but not PublishDataverse.
But when you create a new collection, you are... admin, then you can publish the collection you just created (https://github.com/IQSS/dataverse/blob/develop/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/CreateDataverseCommand.java#L112)
What do you think ?

view this post on Zulip Philip Durbin ๐Ÿš€ (May 15 2024 at 16:24):

Interesting.

view this post on Zulip Philip Durbin ๐Ÿš€ (May 15 2024 at 16:24):

I'm just adding this link for 6.2 because develop is always changing: https://github.com/IQSS/dataverse/blob/v6.2/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/CreateDataverseCommand.java#L112

view this post on Zulip Philip Durbin ๐Ÿš€ (May 15 2024 at 16:29):

Yes, the creator of a collection becomes the admin of it.

view this post on Zulip luddaniel (May 15 2024 at 18:29):

Philip Durbin said:

Yes, the creator of a collection becomes the admin of it.

Is it for you a wanted behavious ?

view this post on Zulip Philip Durbin ๐Ÿš€ (May 15 2024 at 18:30):

Well, sort of. Some Dataverse installations want users to be able to create collections in the root collection. And publish them. This is how it was for Harvard Dataverse for a long time.

view this post on Zulip luddaniel (May 15 2024 at 18:40):

Would it be better if we removed this hard coded line and add PublishDataverse permissions to the Curator ?
I mean the line between Admin and Curator role is not very clear as AddDataverse allows to create and create gives Admin role (on the created collection)

view this post on Zulip Philip Durbin ๐Ÿš€ (May 15 2024 at 18:42):

Woof. I don't want to break anything. It's a delicate balance.

view this post on Zulip luddaniel (May 15 2024 at 18:42):

I guess I don't like the idea that Dataset Reviewers (Curator) to manage collections, we are thinking about removing AddDataverse permission out of the Curator Role as an example

view this post on Zulip Philip Durbin ๐Ÿš€ (May 15 2024 at 18:43):

I wonder how much we use the Curator role. I'm really not sure.

view this post on Zulip Philip Durbin ๐Ÿš€ (May 15 2024 at 18:43):

You could allow reviewers in by creating a private url.

view this post on Zulip Philip Durbin ๐Ÿš€ (May 15 2024 at 18:43):

Rather than making them curators.

view this post on Zulip luddaniel (May 15 2024 at 18:44):

haha, now we are jumping on https://github.com/IQSS/dataverse/issues/9938
Contributor cannot create private url ^^

view this post on Zulip Philip Durbin ๐Ÿš€ (May 15 2024 at 18:48):

Hmmm :eyes:

view this post on Zulip Philip Durbin ๐Ÿš€ (May 15 2024 at 18:48):

My temptation is to try to encode your workflow in a series of API tests.

view this post on Zulip Philip Durbin ๐Ÿš€ (May 15 2024 at 18:49):

Like https://github.com/IQSS/dataverse/blob/v6.2/src/test/java/edu/harvard/iq/dataverse/api/InReviewWorkflowIT.java for example.

view this post on Zulip Philip Durbin ๐Ÿš€ (May 15 2024 at 18:49):

To better understand when you are using this or that role, from the beginning.

view this post on Zulip luddaniel (May 15 2024 at 18:51):

We are kind of facing multiple issues, because here we want :

view this post on Zulip luddaniel (May 15 2024 at 18:53):

And there is another level of role (Curator or Contributor) when you create a dataset (Dataset Creator) ^^

view this post on Zulip luddaniel (May 15 2024 at 18:55):

Most important : keep the "Submit datasets for review"

view this post on Zulip luddaniel (May 15 2024 at 18:57):

We will mature on those subject, I'll create a better post to explain the needs

view this post on Zulip Gustavo Durand (May 15 2024 at 18:58):

luddaniel said:

Out of curiosity, I was wondering if there is a loophole in Curator role :
You have the permission AddDataverse but not PublishDataverse.
But when you create a new collection, you are... admin, then you can publish the collection you just created (https://github.com/IQSS/dataverse/blob/develop/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/CreateDataverseCommand.java#L112)
What do you think ?

FYI, I don't consider this a loophole. The Publish Dataverse command is for itself, and they cannot publish that. They can publish child dataverses (since they become admin on it) and that (to me) is in line with being able to publish child datasets

I don't believe we want to give Curators the ability to Publish the dataverse for which they are just a curator and not admin).

view this post on Zulip luddaniel (May 15 2024 at 18:59):

understandable

view this post on Zulip Philip Durbin ๐Ÿš€ (May 15 2024 at 18:59):

It would be good to pull in @Sonia Barbosa as well. I'm sure she has lots of thoughts on these roles and how best to use them.

Right now it's hard for me to judge if we should change how Dataverse works or if a tweak to your workflows would help.

view this post on Zulip luddaniel (May 15 2024 at 18:59):

Same here ^^

view this post on Zulip luddaniel (May 22 2024 at 09:21):

The subject ended up here : https://github.com/IQSS/dataverse/issues/10575

view this post on Zulip Philip Durbin ๐Ÿš€ (May 22 2024 at 12:52):

Ah, great. Thanks for letting us know!

Last updated: Nov 01 2025 at 14:11 UTC