Authorization scenarios
Most operations in ReviewDB require simple "write" or "read" permissions on a particular review. How these permissions are granted depends on the authorization realm for the review.
Review creation and protected meta-data
Creating reviews (other than practice reviews) and updating certain fields via the ReviewDB API requires system administrator privileges. These operations are generally expected to be done via another system (e.g. Archie or Porto) instead.
This table outlines the permissions needed to change Review fields:
System administrator | Write meta-data permission | Write permission | Maintained internally |
---|---|---|---|
realm Specific to Editorial Manager: submissionStatus | title Obsolete fields: documentPK | searchDate useStudyCentricDataStructures gradeProIntegrationEnabled riskOfBiasMethod reviewFormat | changedSinceLastTag reviewModified reviewModifiedBy titleModified titleModifiedBy |
Authorization realms
Authorization is handled differently based on the "realm" setting for the review, as outlined in this table:
ARCHIE | PORTO | PRACTICE | PRACTICE_TEMPLATE | |
---|---|---|---|---|
Read | Managed by Archie, depends on review phase | Granted to users with a role on the review, with a "manage reviews" role in the owning unit, and to system administrators | Granted to user who owns the review, and to system administrators | Granted to user who owns the review, and to system administrators |
Write | Managed by Archie, depends on review phase | Granted to users with a role on the review, with a "manage reviews" role in the owning unit, and to system administrators on active reviews | Granted to user who owns the review, and to system administrators | Granted to user who owns the review, and to system administrators |
Meta-data | Managed by Archie | Granted to users with a "manage reviews" role in the owning unit, and to system administrators | Granted to user who owns the review, and to system administrators | Granted to user who owns the review, and to system administrators |
Protected meta-data | Managed by Archie | Managed by Porto (use Porto API) | System administrators | System administrators |
Create review | Managed by Archie | Managed by Porto (use Porto API) | Any user (up to a maximum number of practice reviews) | Members of the trainers' network (Archie group) |
Cochrane REST API
The Cochrane Application Programming Interface (API) is based on Representational state transfer (REST) and uses resource-oriented URLs. The API only supports SSL – any non-SSL calls will return a 403 (FORBIDDEN) return code.
...