[regression] Admins can no longer add items from outside their org to a group
See original GitHub issueAs mentioned in PR https://github.com/Esri/arcgis-rest-js/pull/854, the endpoint used to add an item to a group was recently changed to account for a change in the Sharing API v9.2.
Prior to 9.2, the
/content/items/:id/share
endpoint would allow anorg_admin
to share a private item, owned by another user, to a group (item owner must already be a member in said group).At 9.2. that no longer works; instead we need to use the
/content/users/:ownername/items/:id/share
route, which is what this PR changes.
This change, however, created a regression such that admin users can no longer add items owned by someone outside their org to a group. This affects not only standard group/sharing workflows but also favoriting (since favoriting is implemented as a group).
A specific case of this was already reported in issue #882, but this issue more broadly affects an admin sharing (or favoriting) any item outside their org, not just Living Atlas items.
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (5 by maintainers)
Top GitHub Comments
Reading the code and the issue noted, I think…
we want to use
/content/users/:ownername/items/:id/share
only:role: "org_admin"
otherwise use
/content/items/:id/share
.Currently we don’t get the item, so if we really want to restrict this flow to only non-public items, we’d have to do yet-another xhr. During the flow we do fetch the item owner if the
currentUser !=== owner
, and so we could verify that the owner and the current user are in the same org (thus implying the item is in the same org)… this will take some refactoring, which is always scary w/ this part of the API - We do have a harness that we can use to verify this against the live api, so that’s a plus…I can try to get to this early next week ~9/20/21 - if someone inside Esri wants to tackle this sooner, the harness lives in devtopia at /dc/portal-api-check
@tomwayson @dbouwman I think both of you wrote most of the original sharing code can you take a look?