Managing large groups - reducing risk of accidental or malicious deletions

We did a live 'researchathon' and in 3 hours had 20 students create a group library with 526 items (needs a bit of de-duplication and tidying up, but mostly very good stuff). The students were so enthusiastic they want to continue adding resources and open it up to other students to add more resources.

I'm worried about the potential for someone to inadvertently or maliciously delete items or collections or to rename collections in unhelpful ways. The collection is based around 'decolonising the curriculum' so there is potential for someone who has strong views on this to delete or deface the collection and because there is not a clear audit trail of who's done what (unless I'm missing something) it would be unclear who had done it. Someone did accidentally delete a collection in the researchathon but we were able to restore it from someone's Zotero desktop that hadn't yet synced.

Has Zotero considered adding a group member status which has permission to add resources but not to delete or change the collections structure/naming? This would help reduce risk of deletion and give me more confidence to open up the group to other contributors.

Another alternative might be to enable people suggest resources for a group - where they're able to push resources through to a group collection for Admins or Editors to review and then either delete or push on into a collection.

Grateful to have feedback on this - possibilities for development or some workarounds that I've over looked.

Grant Young

(Academic Librarian for Arts and Humanities, University of East Anglia)
  • This has come up before and more-finegrained permissions for groups have been mentioned several times as a future plan, but I don't know exactly what those would/will entail.

    The only current workaround I could think off is to have two copies of the library -- a "staging" one that's widely editable, and a final one that only a couple of people have access to. One could then have a script (e.g. python using pyzotero) that transfers new items from the one to the other that an admin can run regularly. This would obviously also allow you to restore the staging library to a previous state in case of vandalims.
  • Thanks adamsmith - would be helpful for Zotero developers (if monitoring this board) to consider enabling more finegrained permissions and possibly some audit (resource contributed by X). But meanwhile I think your idea of having two groups might be best. A public group with a select group of Admins/editors and a link to a 'Suggestions' group with very open membership which others can add new items to and is periodically reviewed by admins and transferred periodically into the main group. Many thanks, Grant
  • devs read every thread here, yes.
  • We've talked about this sort of thing before, but it's pretty tricky, from both a technical and practical perspective. The technical problem is that a lot of actions in Zotero — like adding an item to a collection, or adding a tag — make changes to the underlying item, and differentiating between allowed actions (like adding to a collection) and disallowed actions (like, say, removing from a collection) would be very difficult and bug-prone. The practical problem is that you probably want to allow things like fixing typos or editing fields, but if you're allowing editing fields, someone maliciously inclined could just blank out an item. Allowing changes and deletions only to items you yourself created would address some of these problems, but that precludes people collaborating on things like collection organization or deduplication.

    There's even a privacy consideration, in that someone might save to the wrong library — or just have the group library selected and then want to move the item to a different library via the save popup — but that requires the ability to delete at least items you yourself created, at least for a period of time (but maybe not forever, lest someone delete all the items they added after they've been incorporated into the group).
    Another alternative might be to enable people suggest resources for a group - where they're able to push resources through to a group collection for Admins or Editors to review and then either delete or push on into a collection.
    Could you say more about how you see that working? I think a fundamental problem here is going to be that, while one could come up with a set of restrictions that work for a particular use case, they would preclude others (like, potentially, in this example, even collaborating on adding items to collections).
  • My (non-Zotero) project has 2 levels of admin privileges: regular-admin level allows creation of a record and initial editing of the record but not record deletion or posting to the public side of the site. Only "super-administrators" have those privileges. Super-admins must "accept" records and record changes made by regular admins. Regular admins can flag a record to recommend deletion. Regular admins can propose the creation of a new record that is the result of a merger of 2 or more other records. The final acceptance of any change, creation, or deletion must be through the approval of a super-admin.
  • Hello, I would like to know if there has been any progress with a solution to adding items to large groups, and the possible solution of having two level of admin privileges. Another possibility, similar to that, could be to have an 'inbox' for which all members could have admin rights (able to upload items) separated from the rest of the platform for which only admins would have rights to add items, create/delete/change collections. That way the admins would just 'move' items from the 'inbox' to the right collection. Looking forward to your feedback! Thanks a lot.
  • Nothing new here, but for the inbox idea, you could experiment with just using a second group to which everyone has write access (and then having the main library view only for members)
  • Thanks for the suggestion. I will try a second group with library reading and library editing 'any group member' and see how it works as an inbox for the main group.
  • Hi @MarCat and @adamsmith.

    For https://docs.edtechhub.org (kerko), we're using a 'group with smaller membership', which is fed from a 'group with larger membership'. To do this in one library, it would be even better to have per-collection restrictions, but that would be hard to do.

    We've been working pretty hard on our command line interface for the API https://github.com/edtechhub/zotero-cli, to help us manage some aspects. On my to do list is a 'sync', where items can be synchronised from one library (e.g., items in a certain collection or with a certain tag). E.g., items could be marked by a user in libraryA; the 'superuser' runs the synscript, which adds items to library B (e.g., into an INBOX collection). At the same time, the item in library A is updated (e.g. with an attachment/link) indicating that the item has been transferred.

    If somebody is interested in thinking that through together, please do let me know, and we can work out what's possible.
  • I would be very interested in the possibility of having selective permissions as well. I was just wondering whether including this feature is being considered. Thank you.
Sign In or Register to comment.