Permisson model

[maxime-rainville]

Story

As a Site Owner I want a proper access control to be enforced on Link data so that I have confidence that only autorised user can view and edit link.

Acceptance criteria

• Sensible CanView/CanDelete/CanEdit/CanCreate method have been created.
• Can* method are driven by their owner/parent. (e.g. If you can view the page that owns the link, you can view the link as well)
• If at all possible, make sure Link is aware of the owner trying to create it before calling canCreate() on it, so we can correctly rely on the parent's canEdit() permissions for creation
• Link permission can be customised with Extensions
• Permissions have unit tests

Notes

• There's some UX questions about what would happen if a link points to a DataObject the current user is now allowed to view. Those concerns will be dealth with in a separate card.

POC PRs

• NEW Linkfield ownership #101
• NEW Link ownership (alternative to #101) #102

PRs

• ENH Add permission methods based on owner #134

[sabina-talipova]

PR was merged. Close.