Update contributor role permissions to include form view/edit layer

[gabestein]

Motivation

So admins can restrict contributors to viewing/editing pubs using specific forms -- implicitly, this means they can also only see/edit pubs of the types of forms they have access to.

Requirements

• Pub-Level Contributors:
  • If no forms are specified for the pub, they can only view the pub, using the default form.
  • If forms are specified:
    • Can view/edit pub via specified forms they’ve explicitly been given access to.
    • Can add other contributors to the pub (a bit awkward because it's on the view for now)
    • On the Pub edit page, can create/add/see related pubs via fields explicitly added to the form they have access to -- this only applies to the Pub view and update page, not overall permissions, similar to how we currently render related Pubs on pub view pages
    • Can delete/archive pub
    • If they have access to multiple forms, can switch between them using the switcher in Form view switcher #1036
• Stage-Level Contributors
  • If no forms are specified for the stage, they can only view all pubs in the stage, using the default form for a given Pub type.
  • If forms are specified:
    • Can still view all Pubs in stage using the default form
    • Can view/edit all Pubs in stage with the same type as specified forms
    • Can add other contributors to Pubs in stage forms they've been given access to (a bit awkward because it's on the view for now)
    • On Pub edit and view pages, can create/add/see related pubs via fields explicitly added to specified forms -- this only applies to the Pub view and update page, not overall permissions, similar to how we currently render related Pubs on pub view pages
    • CANNOT delete/archive pubs (I think)
    • If they have access to multiple forms, can switch between them using the switcher in Form view switcher #1036
• Community-Level Contributors
  • If no forms are specified, can only see/edit pubs they have access to via pub or stage memberships
  • If forms are specified, can create new pubs via specified forms at the community level ONLY (e.g., cannot create a pub via a "review form" if they only have access to it in a stage)

Acceptance Criteria

[kalilsn]

• Pub-Level Contributors:
  • If forms are specified:
    • Can add other contributors to pubs (a bit awkward because it's on the view for now)

should this be "Can add other contributors to the pub"? if not, does it mean all pubs with the pub type(s) of the form(s)?

* Can create/add/see related pubs via fields explicitly added to the form they have access to

create/add shouldn't be a problem. seeing related pubs is still tricky, since it makes calculating whether a user has view access a potentially quite expensive query. right now we're just handling that by embedding the related pubs into a the pub details page, to depth 2. if that's not sufficient anymore, we could allow configuration of the depth/whether to embed related pubs at all at the form_element level as part of the new view configuration

• Community-Level Contributors

  • If no forms are specified, can only see/edit pubs they have access to via pub or stage memberships
  • If forms are specified, can create new pubs via specified forms at the community level ONLY (e.g., cannot create a pub via a "review form" if they only have access to it in a stage)

when a contributor creates a pub, should we give them some kind of membership to it? maybe that's a new setting on the submit buttons or the form itself?

[gabestein]

should this be "Can add other contributors to the pub"? if not, does it mean all pubs with the pub type(s) of the form(s)?

Yup, good catch, thanks! Updated.

create/add shouldn't be a problem. seeing related pubs is still tricky, since it makes calculating whether a user has view access a potentially quite expensive query. right now we're just handling that by embedding the related pubs into a the pub details page, to depth 2. if that's not sufficient anymore, we could allow configuration of the depth/whether to embed related pubs at all at the form_element level as part of the new view configuration

Updated. We only need to replicate the functionality on view/edit pages, not via overall permissions, because when someone creates a new related pub, we'll add a membership to it for them, as you suggested. This creates an edge case if there are multiple contributors to a pub who each add related pubs, but we think that's okay, and certainly for now, if they can still edit those via the "from" pub view/update page.

when a contributor creates a pub, should we give them some kind of membership to it? maybe that's a new setting on the submit buttons or the form itself?

Yes... Will add another ticket for this.

[kalilsn]

Can view/edit all Pubs in stage that are controlled by specified forms

does "are controlled by" mean "have the same pub type as"?