Motivation

 

Several projects are interested in adding a feature where one person can upload on behalf of another user. Possible cases - a graduate

student uploads a large quantity of data for a researcher. The grad student did the uploading, but the 'owner' of the data is someone else. 

Another scenario - someone wants a particular type of analysis performed on a sample in a lab. There is a dedicated expert in the lab who performs that 

type of analysis for others. They want to be able to perform the analysis and upload the data for the other user. The file or dataset needs to be able 

to change owner/author while retaining info on who uploaded it. Perhaps a new role (Uploader?) is a way to achieve this.

 

Problems

 

  1. Security. 
  2. Transfer of ownership of file needs to preserve original uploader but current author. The actual owner should have more rights (such as 
    the right to delete the file. Who actually uploaded the file should stay attached as data.
  3. The person uploading for someone else should not be overwhelmed by seeing too many spaces, collections, datasets. 
  4. Avoid having to create too many new spaces. A user might be able to create a single space where the person they want to upload the data has 'Uploader' role.
  5. An uploader might make a mistake and upload the wrong file - some time window during which they can delete files they upload? 
  • No labels

9 Comments

  1. Todd Nicholson

    Please - anybody comment on this and let me know i you can think of any problems with this approach, or better ideas. 

  2. Jim Myers

    Are the concerns about what name shows up on the page, or who has permissions, or both? One reason I ask is because SEAD is adding the idea of a list of creators (analogous to the authors of a paper) that is separate from the person who entered the data in Clowder (the uploader/owner). We have not yet thought about giving that list any permissions (perhaps complex since we want you to be able to list people who do not have accounts), but if the uploader had a limited 'Uploader' role (your #4) and only "editors"/'Admins' of a space could edit/move/delete, would it help? Or does the uploader really have to lose permissions/ownership?

  3. Todd Nicholson

    Both are concerns. 

    For our users, the uploader is someone who just uploads data for someone else. in these cases, the person they upload for is the real 'author'. Its like a researcher handing off a sample to a graduate student or someone who runs a machine in a lab, that person performs some kind of analysis and uploads the data on behalf of the principle researcher. We want the 'uploader' to be able to delete for some short time, on the off chance they upload something wrong. The issue is that the author of the file should be the person the file was uploaded for, but they want to preserve who uploaded it for their own records. Researchers in our area (materials science) are very possessive about their data, though they usually will trust lab staff to perform analysis, they would not want anyone to have delete/edit/share rights on the file. 

     

    Creators sounds like they should be a different case entirely. That case would be like me uploading 'The Complete Works of the Bronte Sisters' - the creators would be the Bronte sisters, and I would be the 'owner' of the file in the sense that I would have the right to delete and all that. 

    1. Jim Myers

      It could be the Brontes, but in our use it is more like your case - either one of the creators uploads and they want to add themselves and their co-creators, or it is an assistant uploading and they add the creators and don't list themselves there. But we have had people list 'NASA' - when they've grabbed some satellite data for the time/place they're doing experiments.

      1. Todd Nicholson

        If the 'creator' can be an agency like NASA then it seems to make sense that the 'creator' should be an Option[String] since many cases will exist where it's not someone with an account. 

  4. Todd Nicholson

    I was thinking that for files, we have 

     

    Author : MiniUser

     

    If we create an 'author' object, it could then have Author, Creator, Uploader as fields. 

    1. Jim Myers

      Just to clarify: Author is the same as Owner above - it's one person and someone with an account? Overall I think these 3 concepts could co-exist, though the more related concepts, the more confusing it could be for users.

      For owner - do you see a need for this person to have permissions separate from what they get from their role in a space? Or is it just that the original Uploader needs to lose permissions? If that were the case, perhaps the uploader could lose their special permissions when the dataset is added to a space? (I haven't tried the following, but, right now, if a person uploads data, adds it to a space and then has their role in the space removed, do they still have the ability to delete the data? If so, it seems like that could be an issue that might go away if uploaders lose their special permission at some point). Overall. I'm  just wondering if this is an opportunity to simplify. Would uploaders need to lose thie ability to even see the data they put in, or is it just the edit/delete permissions that are an issue?

      I guess if uploading made you the uploader and owner, with permissions tied to being the owner, and you add the ability to transfer ownership, it wouldn't be much more complex than now - but if doing something to stop the uploader/owner from having special permissions at some point, such as when the data is first added to a space, or after some timeout, is enough w.r.t. permissions, perhaps the creator field could be configurable to only allow one person and/or to only allow Clowder users to be added as the value to solve the display issue (the label could be configurable too if 'Owner' would be better than 'Creator' when it is a single Clowder User).  (Would you want uploader, owner, and creator list for your case? Or would owner really be an alternative to showing a creator(s)?) Again, not pushing for a particular solution, just trying to explore the requirements and possibilities...

      1. Todd Nicholson

        Owner == author, sorry for confusion of using that term.

        For our users, it's important for the uploader to lose permissions at some point. People are very possessive of their data and don't want any risks that it could be accidentally deleted, moved or shared by anyone. 

         

        Uploader, Author, Creator would be best. If something isn't relevant, it can be None. 


        The idea of the 'uploader' role is that the lab staff should not be seeing any more of the author's work than absolutely necessary, and don't want to have to look for where they should be uploading. If a space is designated for this, then the author will know where the dataset/files will be, and can then move them. Perhaps once they are removed from that space the uploader loses permissions? 

         

         

  5. Todd Nicholson

    This weekend I'm going to try to create a branch that replaces the author : MiniUser with an actual Author type, just to see how difficult that might be, since it would seem to be a fix that would work for any cases we could encounter. 

     

    I'll probably create a 'transfer ownership' method that will work via the api but not via the GUI yet (I would want input on how that should look from other people) and then at the next meeting, I can get some feedback.