Pages need access controls

[dylanmcreynolds]

Currently the only object in Splash that enforces access controls are runs.

Runs will look a little different from pages as far as access controls go, as we have a little more control over things. But they will be similar. Here's generally the design:

View Access

• splash-md documents will contain a new field called accessGroups. This will be a list of strings.
• View access for listing pages will add a check to the mongo query to limit the results to only those items for which the user belongs to a team that is in the item's accessGroup field. (Similar to

  splash-server/splash/runs/runs_service.py

  Line 192 in 1a0e60e

  for team in user_teams:

  )
• View access for an individual page access will be controlled in a similar way to

  splash-server/splash/runs/runs_service.py

  Line 94 in 1a0e60e

  run_auth = run.metadata['start'].get('data_groups')

  . I think we want a new TeamAccessPolicy class (similar to the TeamRunChecker) to assert policy specific to pages...I like the work Policy better than AccessChecker.

View Edit

• The policy, for now, for Pages will be "anyone with access can edit". But I want this to be controled by the TeamAccessPolicy (above) so that it's easy and obvious to change the policy if we need to.