Proposal: Add backward-compatible API to Hydra rights metadata permissions using a SQL-like grant/revoke syntax

gistfile1.md

Grant

grant [permission], to: [grantees] -> result

Arguments

permission - Symbol (required) - one of [:discover|:read|:edit]

to - one of:

• :all - Grants permission to all (i.e., group: "public")
• :public - Grants permission to "public" group
• :registered - Grants permission to "registered" group
• a Hash including:
  • :person - Individual name (String) or an Array of individual names
  • :group - Group name (String) or an Array of group names

Return value

Boolean - success/failure

Revoke

revoke [permission], from: [revokees] -> result

Arguments

permission - Symbol (required) - one of [:discover|:read|:edit|:all]. Use :all to revoke all permissions from the Person(s) and/or groups(s).

from - one of:

• :all - Revokes permission from all (persons and groups) to whom it is assigned. revoke :all, from: :all is equivalent to clearing permissions on the object.
• :public - Revokes permission from "public" group
• :registered - Revokes permission from "registered" group
• a Hash including:
  • :person - Revokes permission from an individual (String) or list of individuals (Array)
  • :group - Revokes permission from a group (String) or list of groups (Array)

Return value

Boolean - success/failure

Examples

object.permissions.grant :read, to: {person: 'fleece.vest@projecthydra.org'}
=> true
# Equivalent to: 
# object.permissions = [{type: "person", name: "fleece.vest@projecthydra.org", access: "read"}]

object.permissions.grant :read, to: :public
=> true
# object.permissions = [{type: "group", name: "public", access: "read"}]

# person 'fleece.vest@projecthydra.org' has edit permission
object.permissions.revoke :edit, from: {person: 'fleece.vest@projecthydra.org'}
=> true
# Equivalent to (one way to do it):
# object.set_edit_users(object.edit_users - ['fleece.vest@projecthydra.org'], ['fleece.vest@projecthydra.org'])

# person 'fleece.vest@projecthydra.org' lacks edit permission
object.permissions.revoke :edit, from: {person: 'fleece.vest@projecthydra.org'}
=> false

object.permissions.revoke :all, from: :all
=> true
# Equivalent to:
# object.rightsMetadata.clear_permissions!

# Etc.

Questions

• Should result be false on revoke if entity lacks permission specified?
• Should result be false on grant if entity already (effectively) has permission?

• Should result be false on revoke if entity lacks permission specified?
  Yes
• Should result be false on grant if entity already (effectively) has permission?
  No

I think the :replace attribute is confusing, is that necessary?

I think just a simple true/false return value is fine. You can write the reason to the logger.

Re: including message in return value, I was thinking about UI.

Re: :replace, I think we can drop it.