fix(permissions): Update default object access permissions (DEV-514) (#…

…2004)

* Update default object access permissions

* Update corresponding test

* update documentation

docs/03-apis/api-admin/permissions.md

@@ -35,7 +35,13 @@ included in the request body, for example:
 {
     "forGroup":"http://rdfh.ch/groups/0001/thing-searcher", 
     "forProject":"http://rdfh.ch/projects/0001", 
-    "hasPermissions":[{"additionalInformation":null,"name":"ProjectAdminGroupAllPermission","permissionCode":null}]
+    "hasPermissions":[
+      {
+        "additionalInformation":null,
+        "name":"ProjectAdminGroupAllPermission",
+        "permissionCode":null
+      }
+    ]
 }
 ``` 
 
@@ -71,27 +77,26 @@ As a response, the created administrative permission and its IRI are returned as
 permission types](../../05-internals/design/api-admin/administration.md#administrative-permissions).
 In summary, each permission should contain followings:
 
-- `name` : indicates the type of the permission that can be one of the followings:
-   - `ProjectAdminAllPermission`: gives the user the permission to do anything
+  - `additionalInformation`: should be left empty, otherwise will be ignored.
+  - `name` : indicates the type of the permission that can be one of the followings:
+    - `ProjectAdminAllPermission`: gives the user the permission to do anything
      on project level, i.e. create new groups, modify all
      existing groups
-   - `ProjectAdminGroupAllPermission`: gives the user the permission to modify
+    - `ProjectAdminGroupAllPermission`: gives the user the permission to modify
      *group info* and *group membership* on *all* groups
      belonging to the project.
-   - `ProjectAdminGroupRestrictedPermission`: gives the user the permission to modify
+    - `ProjectAdminGroupRestrictedPermission`: gives the user the permission to modify
      *group info* and *group membership* on *certain* groups
      belonging to the project.
-   - `ProjectAdminRightsAllPermission`: gives the user the permission to change the
+    - `ProjectAdminRightsAllPermission`: gives the user the permission to change the
      *permissions* on all objects belonging to the project
      (e.g., default permissions attached to groups and
      permissions on objects).
-   - `ProjectResourceCreateAllPermission`: gives the permission to create resources
+    - `ProjectResourceCreateAllPermission`: gives the permission to create resources
      inside the project.
-   - `ProjectResourceCreateRestrictedPermission`: gives restricted resource creation permission
+    - `ProjectResourceCreateRestrictedPermission`: gives restricted resource creation permission
      inside the project.
-
-- `additionalInformation`: should be left empty, otherwise will be ignored.
-- `permissionCode`: should be left empty, otherwise will be ignored.
+  - `permissionCode`: should be left empty, otherwise will be ignored.
 
 
 Note that during the creation of a new project, a default set of administrative permissions are added to its ProjectAdmin and 
@@ -116,27 +121,33 @@ default object access permission for a group of a project the request body would
     "forProject":"http://rdfh.ch/projects/0001",
     "forProperty":null,
     "forResourceClass":null,
-    "hasPermissions":[{"additionalInformation":"http://www.knora.org/ontology/knora-admin#ProjectMember","name":"D","permissionCode":7}]
+    "hasPermissions":[
+      {
+        "additionalInformation":"http://www.knora.org/ontology/knora-admin#ProjectMember",
+        "name":"D",
+        "permissionCode":7
+      }
+    ]
 }
 ```
 
 `hasPermissions` contains permission types that must be granted. See [a complete description of object access 
 permission types](../../05-internals/design/api-admin/administration.md#default-object-access-permissions). 
 In summary, each permission should contain followings:
 
-- `additionalInformation`: To whom the permission should be granted: project members, known users, unknown users, etc.
-- `name` : indicates the type of the permission that can be one of the followings.
-   - `RV`: restricted view permission (least privileged)
-   - `V`: view permission
-   - `M` modify permission
-   - `D`: delete permission
-   - `CR`: change rights permission (most privileged)
-- `permissionCode`: The code assigned to a permission indicating its hierarchical level. These codes are as below:
-  - `1`: for restricted view permission (least privileged)
-  - `2`: for view permission
-  - `6`: for modify permission
-  - `7`: for delete permission
-  - `8`: for change rights permission (most privileged)
+  - `additionalInformation`: To whom the permission should be granted: project members, known users, unknown users, etc.
+  - `name` : indicates the type of the permission that can be one of the followings.
+    - `RV`: restricted view permission (least privileged)
+    - `V`: view permission
+    - `M` modify permission
+    - `D`: delete permission
+    - `CR`: change rights permission (most privileged)
+  - `permissionCode`: The code assigned to a permission indicating its hierarchical level. These codes are as below:
+    - `1`: for restricted view permission (least privileged)
+    - `2`: for view permission
+    - `6`: for modify permission
+    - `7`: for delete permission
+    - `8`: for change rights permission (most privileged)
 
 Note that, at least either `name` or `permissionCode` must be provided. If one is missing, it will be extrapolated from the other.
 For example, if `permissionCode= 1` is given but `name` was left empty, its value will be set to `name = RV`.    
@@ -152,7 +163,13 @@ a resource class of a specific project:
     "forProject":"http://rdfh.ch/projects/00FF",
     "forProperty":null,
     "forResourceClass":"http://www.knora.org/ontology/00FF/images#bild",
-    "hasPermissions":[{"additionalInformation":"http://www.knora.org/ontology/knora-admin#ProjectMember","name":"D","permissionCode":7}]
+    "hasPermissions":[
+      {
+        "additionalInformation":"http://www.knora.org/ontology/knora-admin#ProjectMember",
+        "name":"D",
+        "permissionCode":7
+      }
+    ]
 }
 ```
 
@@ -207,7 +224,13 @@ the combination of both, the permission will be defined for the newly specified
 
 ```json
 {
-   "hasPermissions":[{"additionalInformation":"http://www.knora.org/ontology/knora-admin#ProjectMember","name":"D","permissionCode":7}]
+   "hasPermissions":[
+     {
+       "additionalInformation":"http://www.knora.org/ontology/knora-admin#ProjectMember",
+       "name":"D",
+       "permissionCode":7
+     }
+   ]
 }
 ```
 

docs/03-apis/api-admin/projects.md

@@ -95,21 +95,22 @@ specified by the `id` in the request body as below:
 
 #### Default set of permissions for a new project:
 When a new project is created, following default permissions are added to its admins and members:
+
 - ProjectAdmin group receives an administrative permission to do all project level operations and to create resources 
 within the new project. This administrative permission is retrievable through its IRI:
 `http://rdfh.ch/permissions/[projectShortcode]/defaultApForAdmin`
 
-ProjectAdmin group also gets a default object access permission to change rights, delete, modify, view, 
-and restricted view of any entity that belongs to the project. This default object access permission is retrievable 
+- ProjectAdmin group also gets a default object access permission to change rights (which includes delete, modify, view, 
+and restricted view permissions) of any entity that belongs to the project. This default object access permission is retrievable 
 through its IRI: 
 `http://rdfh.ch/permissions/[projectShortcode]/defaultDoapForAdmin`
 
 - ProjectMember group receives an administrative permission to create resources within the new project. This 
 administrative permission is retrievable through its IRI:
 `http://rdfh.ch/permissions/[projectShortcode]/defaultApForMember`
 
-ProjectMember group also gets a default object access permission to modify, view, and restricted view of any entity that 
-belongs to the project. This default object access permission is retrievable through its IRI: 
+- ProjectMember group also gets a default object access permission to modify (which includes view and restricted view 
+permissions) of any entity that belongs to the project. This default object access permission is retrievable through its IRI: 
 `http://rdfh.ch/permissions/[projectShortcode]/defaultDoapForMember`
 
 ### Update project information:

webapi/src/main/scala/org/knora/webapi/responders/admin/ProjectsResponderADM.scala

@@ -1037,10 +1037,7 @@ class ProjectsResponderADM(responderData: ResponderData) extends Responder(respo
             forGroup = Some(OntologyConstants.KnoraAdmin.ProjectAdmin),
             hasPermissions = Set(
               PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.ProjectAdmin),
-              PermissionADM.deletePermission(OntologyConstants.KnoraAdmin.ProjectAdmin),
-              PermissionADM.modifyPermission(OntologyConstants.KnoraAdmin.ProjectAdmin),
-              PermissionADM.viewPermission(OntologyConstants.KnoraAdmin.ProjectAdmin),
-              PermissionADM.restrictedViewPermission(OntologyConstants.KnoraAdmin.ProjectAdmin)
+              PermissionADM.modifyPermission(OntologyConstants.KnoraAdmin.ProjectMember)
             )
           ).prepareHasPermissions,
           featureFactoryConfig = featureFactoryConfig,
@@ -1055,9 +1052,8 @@ class ProjectsResponderADM(responderData: ResponderData) extends Responder(respo
             forProject = projectIri,
             forGroup = Some(OntologyConstants.KnoraAdmin.ProjectMember),
             hasPermissions = Set(
-              PermissionADM.modifyPermission(OntologyConstants.KnoraAdmin.ProjectMember),
-              PermissionADM.viewPermission(OntologyConstants.KnoraAdmin.ProjectMember),
-              PermissionADM.restrictedViewPermission(OntologyConstants.KnoraAdmin.ProjectMember)
+              PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.ProjectAdmin),
+              PermissionADM.modifyPermission(OntologyConstants.KnoraAdmin.ProjectMember)
             )
           ).prepareHasPermissions,
           featureFactoryConfig = featureFactoryConfig,

webapi/src/test/scala/org/knora/webapi/responders/admin/ProjectsResponderADMSpec.scala

@@ -257,10 +257,7 @@ class ProjectsResponderADMSpec extends CoreSpec(ProjectsResponderADMSpec.config)
             doap.hasPermissions.equals(
               Set(
                 PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.ProjectAdmin),
-                PermissionADM.deletePermission(OntologyConstants.KnoraAdmin.ProjectAdmin),
-                PermissionADM.modifyPermission(OntologyConstants.KnoraAdmin.ProjectAdmin),
-                PermissionADM.viewPermission(OntologyConstants.KnoraAdmin.ProjectAdmin),
-                PermissionADM.restrictedViewPermission(OntologyConstants.KnoraAdmin.ProjectAdmin)
+                PermissionADM.modifyPermission(OntologyConstants.KnoraAdmin.ProjectMember)
               )
             )
         }
@@ -274,9 +271,8 @@ class ProjectsResponderADMSpec extends CoreSpec(ProjectsResponderADMSpec.config)
             ) &&
             doap.hasPermissions.equals(
               Set(
-                PermissionADM.modifyPermission(OntologyConstants.KnoraAdmin.ProjectMember),
-                PermissionADM.viewPermission(OntologyConstants.KnoraAdmin.ProjectMember),
-                PermissionADM.restrictedViewPermission(OntologyConstants.KnoraAdmin.ProjectMember)
+                PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.ProjectAdmin),
+                PermissionADM.modifyPermission(OntologyConstants.KnoraAdmin.ProjectMember)
               )
             )
         }