Form builder forms can not be edited by other admins in org account

[msschroeder]

Environment (local, stage, preview, production)

All

Expected behavior

In an org account, any admin should be able to edit a form previously developed by another individual in form builder as this is an option listed for all admins (see screen shot below).

Actual behavior

If another admin, who did not develop the form in form builder, clicks edit the form, they receive and error message (see screen shot below) and is unable to edit the form.

The work around would be to use XLSForm syntax form and replace the form. Everyone would have access to that.

Steps to reproduce the behavior

• Have 1 admin in an org account create a form in form builder and publish the form
• Have another org admin try to edit the form

Sample Form: https://ona.io/acme/916/216297

Implementation plan

Blocking or related onadata issues

[WinnyTroy]

This can be resolved by sharing can change asset and can view asset permissions with the user on the Formbuilder resources at the same time Zebra is sharing access to the Onadata resources (i.e Projects and Forms)

For Zebra, this could be easily resolved by making this KPI endpoint:
<KPI domain>/permissions/ user=<user instance> permission=<permission name> content_object=<Asset or collection instance>

A sample request would appear as this:
Sharing Assets:
http POST :8080/permissions/ user=/users/winnytest1/ permission="view_asset" content_object=/assets/aLsnDxN9P93UUwn4YFhJfT/ -a <username>:<password>

Sharing Collections:
http POST http://127.0.0.1:8080/permissions/ user=/users/winnytest1/ permission=change_collection content_object=/collections/cSzAiHBPhUu7kcetVSXz6A/ -a <username>:<password>

where the:
user - is the url pointing to the user to share permissions with
permission - could include view_collection or change_collection (to edit the collection)
content_object - is the url pointing to the asset whose permissions you want to modify

There is an alternative to update the models manually using KPI's django shell utility.
Below are detailed instructions with demo values:

## Fetch permission, asset and user instance to create new permission for asset.
1. Fetch the required models that we're going to query
from django.contrib.auth.models import User
from kpi.models import Asset, ObjectPermission
from django.contrib.auth.models import Permission

2. Get the `change_asset` and `view_asset` permission instances
>>> permission = Permission.objects.filter(name="Can view asset").first()
>>> permission
<Permission: kpi | asset | Can view asset>

>>> permission = Permission.objects.filter(name="Can change asset").first()
>>> permission
<Permission: kpi | asset | Can change asset>

3. Get the user instance
>>> user = User.objects.get(username="winnytest254")

4. Get the asset instance
>>> Asset.objects.get(uid="aN97sGjuSITfVsHHXoh3wED")

5. Create the permission
>>> ObjectPermission.objects.create(user=user, permission=permission, content_object=asset)
<ObjectPermission: ObjectPermission object (87913)>

6. Confirm that the permissions have been applied to the formbuilder forms
>>> Asset.objects.get(uid="aN97sGjuSIVsHHXoh3wED").permissions.all().values_list("permission__name", "user__username")

<QuerySet [('Can change asset', 'winnytest254'), ('Can view asset', 'winnytest254'), ('Can submit data to asset', 'onasupport'), ('Can change asset', 'onasupport'), ('Can modify submitted data for asset', 'onasupport'), ('Can validate submitted data asset', 'onasupport'), ('Can view asset', 'onasupport'), ('Can view submitted data for asset', 'onasupport')]>

N.B

• You can share permissions for a specific collection and not need to make it public.
• The user you have shared the collection with will be able to view the collection you have shared when they log in to their account.

[ukanga]

We could also use a post save signal when the form is created or when shared to others. Zebra currently does not interact directly with KPI API or does it?

[WinnyTroy]

@ukanga Zebra does interact with the KPI API, for example, within the question Library feature, the create, update and delete functionalities are done by hitting the collections KPI endpoint from Zebra. We detailed that here

[eochieng-lab]

Our version of KPI is forked and may be outdated. We will need to confirm what KPI version is the latest.

[FrankApiyo]

I'd like to note here that this is issue also prevents users with can-download permissions from downloading xls forms from frombilder