Extend permission system to add field-level permissions

[grantfitzsimmons]

Fields that are visible for all users but only users of a specific role/policy should have access. Maybe something like a "restricted fields" permission.

This would be nice to have as some fields should be read-only for most users but editable by administrators.

Requested By: NMC Herbaria

[maxpatiiuk]

This sounds like a part of the field-level permission system

[grantfitzsimmons]

Maybe so. That is the request 😄

[benanhalt]

The main API currently checks update permissions for fields. It uses the same mechanism as the the audit log. It doesn't check read permissions for individual fields.

It's implemented at https://github.com/specify/specify7/blob/v7.7.5/specifyweb/specify/api.py#L618-L621

[grantfitzsimmons]

Requested again by every Swiss institution.

[maxpatiiuk]

As a reminder, this is already implemented on the back-end (you can only remove or add field update permission, and that's only applicable if you have update permission or add permission to the table - there is no separate field view, delete or add permission)

The only thing remaining is front-end. Mainly:

1. come up with an implement a nice UI for this
2. at the moment front-end behind the scenes gives user access to all fields - would have to modify that logic to allow giving access to specific fields only rather than everything

See

specify7/specifyweb/frontend/js_src/lib/components/Security/utils.ts

Lines 175 to 189 in 935d304

	/**
	* Special resource that is needed by the back-end for user to be able to
	* edit anything.
	* Field level permissions are not yet fully implemented, thus this resource
	* must be hidden in the UI, but present in all policy lists
	*/
	export const fieldPolicy = '/field/%';
	/**
	* Front-end enforces that each user that has collection access, also has the
	* following permissions:
	*/
	export const basicPermissions: IR<RA<string>> = {
	[fieldPolicy]: [anyAction],
	};

and look for all usages of fieldPolicy

[grantfitzsimmons]

From our Open Discussion on Associated Media Management in Specify 7 community meet:
(https://discourse.specifysoftware.org/t/open-discussion-on-associated-media-management-in-specify-7/2156/1)

Many users reported difficulties with managing permissions:
Nate Shoobs: “Agreed, permissions by whole table can be clunky.”
Corinne Fuchs: “It would be a relief to be able to allow an intern account to change a quantity or a determination, but not other info.”