forked from doccano/doccano
-
Notifications
You must be signed in to change notification settings - Fork 3
Roles Permissions Matrix
Razi Rais edited this page Jul 23, 2019
·
22 revisions
Doccano relies on Django REST framework permissions (permissions.py) and also extend them permissions.py to perform user authorization. This is explained in a later section titled Authorization in Doccano
The following table represents the proposed association b/w roles and permissions in Doccano. Currently, roles are not implemented so following permissions are not used during authorization of a user.
Permissions(P) are represented by the rows and Roles(R) by the columns.
*Not currently available but can be added.
| P ↓ / R → | Label Manager | Label Reviewer | Data Manager | Project Admin | Annotator | Editor |
|---|---|---|---|---|---|---|
| Can add label | x | |||||
| Can change label | x | x | ||||
| Can delete label | x | |||||
| Can view label | x | x | ||||
| Can export data* | x | |||||
| Can import data* | x | |||||
| Can add project | x | |||||
| Can view project | x | |||||
| Can change project | x | |||||
| Can delete project | x | |||||
| Can add document annotation | x | x | ||||
| Can view document annotation | x | x | ||||
| Can change document annotation | x | x | ||||
| Can delete document annotation | x | |||||
| Can add seq2seq annotation | x | x | ||||
| Can view seq2seq annotation | x | x | ||||
| Can change seq2seq annotation | x | x | ||||
| Can delete seq2seq annotation | x | |||||
| Can add sequence annotation | x | x | ||||
| Can view sequence annotation | x | x | ||||
| Can change sequence annotation | x | x | ||||
| Can delete sequence annotation | x |
| Permission | Condition |
|---|---|
| IsProjectUser | User has access to the project. |
| IsAdminUserAndWriteOnly | Request is of type 'GET' or 'HEAD' or 'OPTIONS'. If not then user must have is_staff level access. |
| IsOwnAnnotation | User has access to an annotation. |
| IsAuthenticated | User is authenticated. |
| IsAdminUser | Allows access only to admin users. |
| IsAuthenticatedOrReadOnly | The request is authenticated as a user or is a read-only request. |
Following is the list of views views.py in Doccano along with the authorization check(s) used. When more than one check is performed all of them need to be passed for the user to be authorized.
| View | Authorization Check(s) |
|---|---|
| Me | IsAuthenticated |
| Features | IsAuthenticated |
| ProjectList | IsAuthenticated, IsAdminUserAndWriteOnly |
| ProjectDetail | IsAuthenticated, IsProjectUser, IsAdminUserAndWriteOnly |
| StatisticsAPI | IsAuthenticated, IsAdminUserAndWriteOnly |
| ApproveLabelsAPI | IsAuthenticated, IsProjectUser, IsAdminUser |
| LabelList | IsAuthenticated, IsProjectUser, IsAdminUserAndWriteOnly |
| LabelDetail | IsAuthenticated, IsProjectUser, IsAdminUserAndWriteOnly |
| DocumentList | IsAuthenticated, IsProjectUser, IsAdminUserAndWriteOnly |
| DocumentDetail | IsAuthenticated, IsProjectUser, IsAdminUserAndWriteOnly |
| AnnotationList | IsAuthenticated, IsProjectUser |
| AnnotationDetail | IsAuthenticated, IsProjectUser, IsOwnAnnotation |
| TextUploadAPI | IsAuthenticated, IsProjectUser, IsAdminUser |
| CloudUploadAPI | IsAuthenticated, IsProjectUser, IsAdminUser |
| TextDownloadAPI | IsAuthenticated, IsProjectUser, IsAdminUser |