Dataverse: Index: Assigning a user curator role to an unpublished dataverse does not kick off perms index, user can't browse dv.

Tested with v4.94 and found that assigning any role to an unpublished dv does not cause dv card to appear in My Data nor on browse/search results page. Seems like a straight up permissions indexing issue.

This seems to be reproducible in 4.11, too. And it's a big blocker for getting our production instance ready, too.

The steps I did to reproduce / find this:

1. Created a root dataverse during setup.
2. Setup auth and created a "normal" user
3. As dataverseAdmin: created a group "test" on root dv, assigned role "Member".
4. As dataverseAdmin: created a sub-dataverse "testi"
5. As dataverseAdmin: added normal user to group "test". Dv "testi" is not shown in browse list of root dv.
6. As dataverseAdmin: created a group "test2" on dv "testi", assigned role "Admin".
7. As dataverseAdmin: added normal user to "test2". Dv "testi" still not shown in browse list of root dv.

I'm able to replicate this on my machine. Its definitely inconsistent, for a while it was happening almost every time but and now it only happens rarely. Still digging deeper.

It happens in reverse as well, removing the permission does not lead to the dataset being removed from search cards.

I've been using the debugger to dig many levels deep into this. It looks to be an issue with the native query called by DataverseRoleServiceBean.rolesAssignments() (the query being RoleAssignment.listByDefinitionPointId). I'm wondering if there is something broken with the async implementation around this as everything up til this method was happening async (if I hit a debug point on a function the UI would keep going) but when debugging on this method the UI waits. That being said I quite possibly am misunderstanding how the async works.

The investigation continues.

The solution I took to fix this was to add a 1-second delay to the beginning of the 2 IndexAsync methods. It seemed that in all the cases these methods were used (not too many) we would likely benefit from waiting to ensure the data we retrieved was up to date.

If this solution is accepted we may want to add a message to the API calls that utilize the function to wait a second before doing subsequent actions after revoking/adding roles.

The bug as reported is resolved. @poikilotherm I believe your two scenarios, although unintuitive, are functioning as designed. Here is why: each dataverse is its own "permission root". That means permissions are not inherited between parent and child dvs. So, assigning member perms to the parent does not allow viewing the unpublished child dv. You can observe the member permission does not appear in the list of the sub-dv as it would were it inherited,

As discussed in tech hours, this solution is a temporary one; when we complete #4425, we should be able to revert this code back.

Thx for pointing that out @kcondon. Will open a new issue then with our use case after discussion with my colleagues. At least this design/behaviour should be better documented, will definitely raise an issue for that.

@poikilotherm please go ahead and create your issue but meanwhile you might want to play around with the newish :InheritParentRoleAssignments setting: http://guides.dataverse.org/en/4.12/installation/config.html#inheritparentroleassignments . The use case described in #5095.

Yeah @pdurbin that's what I want indeed. Thx for pointing that out!

@poikilotherm cool. You have @qqmyers to thank. 😄

and TDL...