14 files changed, 295 insertions, 7 deletions

diff --git a/issues/gn-auth/email_verification.gmi b/issues/gn-auth/email_verification.gmi
index 8147bb5..07e2b04 100644
--- a/issues/gn-auth/email_verification.gmi
+++ b/issues/gn-auth/email_verification.gmi
@@ -2,7 +2,7 @@
 
 ## Tags
 
-* status: open
+* status: closed, completed
 * priority: medium
 * type: enhancement
 * assigned: fredm, zsloan
@@ -12,8 +12,10 @@
 
 When setting up e-mail verification, the following configurations should be set for gn-auth:
 
-SMTP_HOST = "smtp.uthsc.edu"
+SMTP_HOST = "smtp.uthsc"
 SMTP_PORT = 25 (not 587, which is what we first tried)
 SMTP_TIMEOUT = 200 # seconds
 
 Not sure about username/password yet. We tried UNKNOWN/UNKNOWN and my own (Zach's) username/password
+
+Note that this host is only visible on the internal network of UTHSC. It won't work for tux02.
diff --git a/issues/gn-auth/example-privileges-script.gmi b/issues/gn-auth/example-privileges-script.gmi
new file mode 100644
index 0000000..afda1a1
--- /dev/null
+++ b/issues/gn-auth/example-privileges-script.gmi
@@ -0,0 +1,36 @@
+# Example Python script for setting privileges for user/group
+
+## Description
+
+This is just an example of a python script for setting user/group privileges, for potential future reference
+
+Before running this script, stop the crontab job that automatically sets unlinked resource privileges
+
+```python
+import uuid
+import sqlite3
+
+group_id = '0510dc91-0eb6-4d9d-97e5-405acc84ba2b'
+resource_id = 'e5cc773d-ca28-44e2-b2a7-1c2901794238'
+
+publishxrefs = ('10955','10957','10960','10961','10964','10966','10969','10970','10973','10975','10978','10979','10982','10984','10987','10988','12486','12487','12489','12490','12491','12492','12493','12494','12495','12496','12497','12498','12499','12500','12501','12502','12503','12504','12505','12506','12507','12508','12509','12510','12511','12512','12513','12514','12515','12516','12517','12518','12519','12520','12521','12522','12523','12524','12525','12526','12527','12528','12529','12530','12531','12532','12533','12534','12535','12536','12537','12538','12539','12540','12541','12542','12543','12544','12545','12546','12547','12548','12549','12550','12551','12566','12567','12568','12569','12574','12575','12576','12577','12578','12579','12580','12621','12735','12737','12741','12742','12743','12744','12745','12780','12781','12782','12783','12784','12785','12786','12787','12788','12789','12790','12791','12792','12793','12794','12795','12796','12797','12798','12799','12800','12801','12803','12804','12805','12806','12807','12808','12809','12810','12812','12813','12816','12817','12961','12962','12963','12964','12965','12966','12967','12970','13029','14803','14804','14805','14806','15572','15573','16197','16375','17329','17330','17331','17332','17333','17334','17335','17336','17337','17338','17339','17340','17341','17342')
+
+# I generated these separatedly with uuid.uuid4(); I probably could have just done this in the script itself, but wanted to make sure they stayed the same
+data_link_ids = ('3041366d-1ffd-45fb-9617-043772b285c8', 'da41fc30-3cd6-4b41-83b5-8fedc4ccd65f', '364a4010-e3fe-470f-a8c9-2a9fd359a4e3', '4e878c0a-cc92-4b21-8152-310266291967', 'ab50a999-e9bb-4bb6-91c0-9828b804156e', 'd50d30e9-15f9-4578-8b48-2bcb0d7a8afb', 'd42d2ef5-278f-4b5e-ae57-10f49f48c2e9', '78c022d7-390b-4688-96c6-c1afadd45877', '17fca9ae-8e71-4c55-b035-15d04f96d936', '4f9893de-fccf-4d6a-845d-df2f83e4d06c', '8a660b03-786a-4143-9fb3-9d00e888f3a2', '3965417a-e47a-47c8-81f6-991eef8c4152', 'e27707f7-5832-4e3f-9391-849e964bbaf6', 'bf9f6ff0-a131-46ef-8a2e-c37d8b66f992', '1ee744c4-95e1-4a66-958c-e785dc937563', '0fa79294-bbdc-4701-861d-9bb91ea72588', '38665214-7cdd-4b01-81dc-d1b78e63a0b0', '82a237df-96ce-404e-b052-8dbe45e793ee', 'ec4c1848-d326-462b-9c0d-f5e5c76e92f6', '46bee64b-8ce7-4910-80ec-211063725b1a', '7f489875-38b6-4cff-a05e-f11a7957b9b8', 'f39744a1-d673-406f-a2f1-c45082bb1975', '5f53a9e9-e40c-4a01-bf9d-430d7c2fd5ef', '1f0a4f2d-cd1c-41e5-a185-2ea2b2b05cd3', 'e282651c-7dc3-40e9-bb52-14e73c3a4ef7', '3c492e6d-e807-427b-acca-44afa4862894', '38e0df6c-3f44-4acb-9965-f0d3f0278150', '35e5ae63-3a32-49ac-93ed-b39d02ab5f5c', '0e6bfa4a-4fee-4b54-80c6-209f9b0ecd00', 'eb85e71a-8b4b-4f3f-9168-59b4ebc090a1', '3eb0325c-4dce-481e-bce7-46c37031da76', '7bc5ce49-4150-4d87-bfbf-d3a1cd20ad67', '03c0cba7-8712-4a27-9b79-e38818805b1f', '07d787ec-e0f9-4b7c-b368-d1f56ce030dc', '51d9e601-31c7-4643-b896-79d90bdc4105', '3cee3754-2822-4f0a-87ad-96bdfe2f0232', 'a7e9eb54-63bd-4ca9-a1f8-1aeac02a76db', '3ff132e5-7fb6-4763-943e-1efbe5f8000e', 'c685f0c9-084d-44d2-882e-ce66cdccef6d', 'ea062e07-1f59-4312-bfd9-6560e652c878', '75d33621-b5a4-447d-a094-7480d1d57a47', 'bb3dbd16-0c73-47d8-8e21-f095d3398b61', '0211177b-a92c-4215-a622-0cba5e8e2866', 'e2139b64-e74a-4263-9785-314e73b102df', '0426f12b-c223-487b-8ab7-baea5995c480', '4a467a72-174c-4ec7-9557-859656ad2c71', '38ab978e-e78f-4c0a-8af3-449b636fe5e6', 'a45c8d42-14d3-464d-8395-8a574148da78', 'e4171cc1-4a03-4311-a287-cee1b8084227', '75d70308-6f1a-49e4-9199-97ec8f60778e', 'efb5c834-b88a-4ee9-b09d-91913fddb546', '23866a00-a729-4ba9-af22-ee83ec164d34', '3feb1154-0613-464b-b758-aad308550a74', '7019d0f1-a590-46ce-a30e-4c21541b6ea8', '6e803182-71d2-4427-a5df-ad84651e5d11', 'fe1bf3f6-818b-4fae-9880-8ae2c1bdcff6', '66d480f7-da41-49ed-a222-8724b493313a', 'c908d2a3-8378-4574-83be-3bf8bdeff5fb', '96b36360-7258-43ab-bdda-23e93f15b0ac', 'daf90aca-6ee6-4c3c-9a60-1e7ae2e29cd2', '43800347-1fe1-40f7-9013-408f0b0740e9', 'e9350a78-a62f-4a08-8881-e6e51450d120', 'bda9a217-d605-4a18-9c3f-5139679ae413', 'cbd8f79a-4992-43c9-8391-994e221b73e1', 'c6b64d90-63ff-482d-b205-f58f3cf656df', '3ecbf267-3655-42a6-a8f9-2751439efb27', '808ae753-a255-43a6-96d4-0ed02b14aefe', '1a5424df-49b3-4274-8281-a1eed838ffda', '89e6d278-e643-43a2-8a61-746cbf446109', 'b4940ece-80a0-4382-ba57-eaad1d35e83e', 'f46cd643-fccb-4037-b642-9a4a329e84e2', '497a235c-4253-4e94-a69c-4b2f200976dd', '02aa8e3a-f9ac-459b-8e35-7081f2849f48', 'da5018e2-38af-415a-ad43-8caf8d82290d', '574ee482-f534-475e-9e7a-0a14e05f4495', 'b90b3a02-fa8d-4393-9dbb-087224a80b40', 'd68370ec-f569-42f3-9c07-a3118aa73ad5', '4b6b099b-3a7c-46c2-a2fc-92c01463b698', 'c9f5608f-3301-4835-b6dc-b1891fe81c36', 'eead972c-0fc4-4c5e-b1ad-63db4d1e9409', 'd8b295eb-6d07-4abe-8b8a-8cfef066a32e', 'a89f3944-be64-42d0-aa66-d2501021760d', '02f42124-bc38-4a14-9400-bbc8e8bf41b7', 'abbcb901-da42-4ef1-bc2c-55b95d584461', 'e28b0cef-eddb-41f2-9479-722365c0b2e0', '9135c304-1dd3-4eb5-82d4-91a86e39068a', '0bbd5f1d-eef3-4c35-84ab-484165a4240d', '08ad9a25-b20d-4ad8-a5e0-a886edc4a7aa', '7e05bdf8-51f5-49dc-9ff6-fbbc6aa20c9f', 'c82d4943-dc6f-4ec8-b76f-1309290183fe', '6a8d76bc-156b-4925-823c-b4585a847efc', '2604e9a8-a4ee-49be-a754-126b1705516e', '8c32b69b-e796-418d-b254-104a179a84ba', '532dca31-c38e-4b77-a84c-563407e9ae00', '954cacda-179e-42a9-8c1f-987e6fae1079', 'bcfced8a-bd50-48e6-9edb-4776a1e95bf5', '66308324-1747-46df-8ddf-41e5bff1cd1a', 'f797e23c-7cb6-4869-97f5-3a79b685c6a3', '0869bb57-0133-4e57-9655-2b6eb1906f5e', 'fc0dddfa-e683-4a8d-9f57-82fb368f8a84', '35b7ffc1-6782-4c85-9bf8-d51629cab2d0', '232850b6-5a53-45e0-8668-7773b9cb39c2', 'af20291c-2be6-40e1-9576-b78df5d56774', 'f52f5c1a-1f8a-4b8a-8e00-fc2bdc6edc5b', '90819230-f372-4e48-96fc-6fb97199fa07', 'b31aefbf-fb67-49dc-b357-f8f0cd76cea9', '5d695f24-674a-4dc5-9e02-7817b77ab06b', '064d5972-f636-4771-95fe-3f6260fd550f', 'c2254f71-98dc-4303-bc26-9b9640582be1', '6eac9495-a366-4e65-90d2-d63472937925', '119398e3-b8cc-4ae5-addb-ec13db9834fa', '6cce7b35-fe2a-4348-9e42-5179ea9f42f1', '65940929-c9fc-47e9-b1cf-c9c9688f7871', '73ffdb1a-f70d-4e8e-88b7-0e22cfd1916e', 'c1b25581-7d28-4535-bcdc-44dc3bc7e438', '6e03a5f7-f200-439a-a465-97056d3c9f71', '4d270b71-2e06-4cfb-a60d-258ccbc7860a', '8b82e29f-a901-454f-a9ad-2f96be9d6c44', '7d699b76-f554-44db-9c68-6ff985cd6388', '3417b2dc-a88a-4cb6-a446-9e90063731f9', '18760f59-4b50-48d5-9814-8117490ab972', '4aaebf37-9529-4365-bdb8-dd53b0ac2499', '95ecdf43-12a5-4b3c-993a-ff03b58cee93', '2b5dd4e6-2310-417e-82bb-b16e96c7346b', '92ee883a-646d-44dd-b2c6-1bffb7b0d2cb', '979038e4-9392-4836-ad04-f125cf19eafa', '1220629d-000f-4508-8a41-3706eebeb812', '42abca44-8eb3-4aa7-adae-16afc211dff4', '82fe9559-718e-4424-9465-033204e1ec03', '8353fe08-e6c8-4f87-b0d8-412ab4a41d19', '1c6bebcf-c125-42a3-9d5b-4fae3113b62b', 'ba54b2ba-fee3-4f1d-a903-18edc7c694bd', '0ea0d40d-3204-4b9b-bae2-54355dce2b5c', '5ee4857c-00b4-46d6-880c-44dbae021b45', '2caa4c03-78ce-456d-8e20-edb531bdd45a', 'e2536a5e-357d-4f6d-a764-ac85a40a2f3f', 'e6341996-80bb-42f9-8842-92062680e957', '3612e03e-430d-4da3-ac87-93a310a3d780', '88c600d2-cefd-4a99-a904-bf2260554ac6', 'f1a6af16-2525-4650-b729-cbec60ad276c', '4b854252-9e87-4d7c-99d9-84ae9297d26e', 'be580989-3ccd-48bd-8c85-a750a800afbd', '5fd675fe-e765-4bf0-8e0f-8f81107a0bb8', 'cf852032-6399-4bf8-a8e7-474c84030430', 'eef27f8a-32d2-4add-a018-ff2d34208a11', '3aca3b1d-4589-4b4c-90de-588fd43fe835', 'd6187213-5a39-4089-ac50-eb144be2a3a5', '5bf60cda-b6b9-4992-91ac-c022e523202a', '4c4395ca-2f2e-4a85-93df-37d2c7f3d1d6', 'b8f9d837-2bd6-447c-9ad8-f581f84f36c1', '029a88bb-3850-4e85-87ab-8ecb3ad59538', '39ead890-0e1a-43df-9bbc-459a3ea0a016', '4b559ad2-c4d8-4763-bc08-90cb63fc79d0', '8361884a-248b-4dac-a9f9-d56f31ab477e', 'd79e2e00-9ea6-4d43-addc-3b1955bc7e5f', '4c0a35ac-c549-4c1a-9fc8-a2e93ba1c632', '50f558d0-c7b1-4204-8ebb-5855e7588998', 'be061746-1b34-4c04-a752-ab5c8d78fdef', 'f8edfb50-c572-4025-87c6-b34e88d8fb90', '0a799ff1-df2c-4c85-9b7e-4fe4885ab5cd', 'db373aa1-8ab9-4257-8d48-11dc92448344', '1e2b9de8-74a4-446a-970e-b47c662760b2', 'ac09ffdf-9cb5-49be-8f52-b681598453f6', 'ae4a55af-a1bb-4698-b2e7-ffbed8760635', '7989ff1f-a9da-439a-bb8b-14482b15dd2e')
+
+# delete_query deletes from the AutoAdminGroup
+delete_query = 'delete from linked_phenotype_data where group_id="5ea09f67-5426-4b66-9ea2-12bdd78350e8" and SpeciesId="1" and InbredSetId="1" and PublishFreezeId="1" and PublishXRefId=?'
+resource_query = "insert into phenotype_resources values ('e5cc773d-ca28-44e2-b2a7-1c2901794238', ?)"
+link_query = 'insert into linked_phenotype_data (data_link_id, group_id, SpeciesId, InbredSetId, PublishFreezeId, dataset_name, dataset_fullname, dataset_shortname, PublishXRefId) values (?,?,?,?,?,?,?,?,?)'
+
+db_path = '/home/gn2/auth.db'
+conn = sqlite3.connect(db_path)
+cursor = conn.cursor()
+
+the_data = tuple((dlid, group_id, 1, 1, 1, 'BXDPublish', 'BXD Phenotypes', 'BXD Publish', pxrid) for (dlid, pxrid) in zip(data_link_ids, publishxrefs))
+
+cursor.executemany(delete_query, tuple((item,) for item in publishxrefs))
+cursor.executemany(link_query, the_data)
+cursor.executemany(resource_query, tuple((item,) for item in data_link_ids))
+conn.commit()
+```
diff --git a/issues/gn-auth/feature-request-create-test-accounts.gmi b/issues/gn-auth/feature-request-create-test-accounts.gmi
new file mode 100644
index 0000000..9e8aa45
--- /dev/null
+++ b/issues/gn-auth/feature-request-create-test-accounts.gmi
@@ -0,0 +1,51 @@
+# Feature Request: Create Test Accounts
+
+## Tags
+
+* assigned: fredm, alex
+* status: open
+* type: feature request, feature-request
+* priority: medium
+* keywords: gn-auth, auth, test accounts
+
+## Description
+
+From the requests on Matrix:
+
+@alexm
+```
+fredmanglis
+: Can we create a generic, verified email for CD to make it easier for people to test our services that requires login?
+```
+
+and from @pjotrp
+
+```
+yes, please. Let it expire after a few weeks, or something, if possible. So we can hand out test accounts.
+```
+
+We, thus, want to have a feature that allows the system administrator, or some other user with the appropriate privileges, to create a bunch of test accounts that have the following properties:
+
+* The accounts are pre-verified
+* The accounts are temporary and are deleted after a set amount of time
+
+This feature will need a corresponding UI, say on GN2 to enable the users with the appropriate privileges create the accounts easily.
+
+### Implementation Considerations
+
+Only system-admin level users will be able to create the test accounts
+
+We'll probably need to track the plain-text passwords for these accounts, probably.
+
+Information to collect might include:
+* Start of test period (automatic on test account creation: mandatory)
+* End of test period (Entered at creation time: mandatory)
+* A pattern of sorts to follow when creating the accounts — this brings up the question, is there a specific domain (e.g. …@uthsc.edu, …@genenetwork.org etc.) that these test accounts should use?
+* Extra details on event/conference necessitating creation of the test account(s) (optional)
+
+
+Interaction with the rest of the system that we need to consider and handle are:
+* Assign public-read for all public data: mostly easy.
+* Forgot Password: If such users request a password change, what happens? Password changes requires emails to be sent out with a time-sensitive token. The emails in the test accounts are not meant to be actual existing emails and thus cannot reliably receive such emails. This needs to be considered. Probably just prevent users from changing their passwords.
+* What group to assign to these test accounts? I'm thinking probably a new group that is also temporary - deleted when users are deleted.
+* What happens to any data uploaded by these accounts? They should probably not upload data meant to be permanent. All their data might need to be deleted along with the temporary accounts.
diff --git a/issues/gn-auth/fix-refresh-token.gmi b/issues/gn-auth/fix-refresh-token.gmi
new file mode 100644
index 0000000..222b731
--- /dev/null
+++ b/issues/gn-auth/fix-refresh-token.gmi
@@ -0,0 +1,58 @@
+# Fix Refresh Token
+
+## Tags
+
+* status: closed, obsolete
+* priority: high
+* assigned: fredm
+* type: feature-request, bug
+* keywords: gn-auth, token, refresh token, jwt
+
+## Description
+
+The way we currently provide the refresh token is wrong, and complicated, and
+leads to subtle bugs in the clients.
+
+The refresh tokens should be sent back together with the access token in the
+same response with the following important considerations:
+
+* The access token is sent back as the body of the response
+* The refresh token is sent back as a httpOnly cookie
+* The refresh token should be opaque to the client — if it is a JWT, encrypt it
+
+### Server-Side Changes
+
+The following changes will be necessary at the generation of the access token:
+
+* Generate the refresh token (possibly in the `create_token_response()` function in `gn_auth.auth.authentication.oauth2.grants.JWTBearerGrant`). Put the user ID, and expiration in the refresh token. Expiration can be provided as part of initial request.
+* Encrypt the refresh token (maybe use the auth-server's public key for this)
+* Save refresh token to DB with link to access token ID perhaps?
+* Attach the token to the response as a httpOnly cookie
+
+at the refreshing of the access token, we'll need to:
+
+* Fetch the refresh token from the cookies
+* Decrypt it
+* Compare the user ID in the refresh token with that in the access token provided
+* Verify refresh token has not expired
+* Check that the refresh token is not revoked (revocation will happen when user logs out, on manual sys-admin revocation)
+* Generate new access token
+* Do we attach the same refresh token or generate a new one?
+
+#### Gotchas
+
+Since there are multiple workers, you could get a flurry of refresh requests using the same refresh token. We might need to handle that — maybe save the refresh request to DB with the ID of the access token used and the new access token, and simply return the same new access token generated by the first successful refresh worker.
+
+This actually kills 2 birds with the one stone:
+* The refresh completes successfully if the refresh token is not expired and the access token is valid
+* In case the access token and refresh token are somehow compromised, the system returns the same, possibly expired access token, rendering the compromise moot.
+
+### Client-Side Changes
+
+* Get the refresh token from the cookies rather than from the body
+* Maybe: make refreshing the access token unaware of threads/workers
+
+
+## Close as Obsolete
+
+We no longer do refresh tokens at all, they were a pain to look into, so I simply removed them from the system.
diff --git a/issues/gn-auth/implement-redirect-on-login.gmi b/issues/gn-auth/implement-redirect-on-login.gmi
new file mode 100644
index 0000000..342b2e6
--- /dev/null
+++ b/issues/gn-auth/implement-redirect-on-login.gmi
@@ -0,0 +1,22 @@
+# Redirect Users to the Correct URL on Login for GN2
+
+## Tags
+
+* assigned: alexm
+* priority: medium
+* status: in progress
+* keywords: gn-auth, auth, redirect, login, completed, closed, done
+* type: feature-request
+
+## Description
+
+The goal is to redirect users to the login page for services that require authentication, and then return them to the page they were trying to access before logging in, rather than sending them to the homepage. Additionally, display the message "You are required to log in" on the current page instead of on the homepage.
+
+## Tasks
+
+* [x] Redirect users to the login page if they are not logged in.
+* [x] Implement a redirect to the correct resource after users log in.
+
+## Notes
+See this PR for commits that fixes this:
+=> https://github.com/genenetwork/genenetwork2/pull/875
diff --git a/issues/gn-auth/implement-refresh-token.gmi b/issues/gn-auth/implement-refresh-token.gmi
index 6b697eb..0dc63f3 100644
--- a/issues/gn-auth/implement-refresh-token.gmi
+++ b/issues/gn-auth/implement-refresh-token.gmi
@@ -2,7 +2,7 @@
 
 ## Tags
 
-* status: open
+* status: closed, completed, fixed
 * priority: high
 * assigned: fredm, bonfacem
 * type: feature-request, bug
diff --git a/issues/gn-auth/new-privilegs-samples-ordering.gmi b/issues/gn-auth/new-privilegs-samples-ordering.gmi
new file mode 100644
index 0000000..be9cfe9
--- /dev/null
+++ b/issues/gn-auth/new-privilegs-samples-ordering.gmi
@@ -0,0 +1,32 @@
+# New Privileges: Samples Ordering
+
+## Tags
+
+* status: open
+* assigned: fredm
+* interested: @zachs, @jnduli, @flisso
+* priority: medium
+* type: feature-request, feature request
+* keywords: gn-auth, auth, privileges, samples, ordering
+
+## Description
+
+From the email thread:
+
+```
+Regarding the order of samples, it can basically be whatever we decide it is. It just needs to stay consistent (like if there are multiple genotype files). It only really affects how it's displayed, and any other genotype files we use for mapping needs to share the same order.
+```
+
+Since this has nothing to do with the data analysis, this could be considered a system-level privilege. I propose
+
+```
+system:species:samples:ordering
+```
+
+or something similar.
+
+This can be added into some sort of generic GN2 curator role (as opposed to a data curator role).
+
+This allows us to have users that are "data curators" that we can offload some of the data curation work to (e.g. @flisso, @suheeta etc.).
+
+We would then, restrict the UI and display "curation" to users like @acenteno, @robw and @zachs. This second set of users would thus have both the "data curation" roles, and still have the "UI curation" roles.
diff --git a/issues/gn-auth/pass-on-unknown-get-parameters.gmi b/issues/gn-auth/pass-on-unknown-get-parameters.gmi
new file mode 100644
index 0000000..a349800
--- /dev/null
+++ b/issues/gn-auth/pass-on-unknown-get-parameters.gmi
@@ -0,0 +1,17 @@
+# Pass on Unknown GET Parameters
+
+## Tags
+
+* status: open
+* priority: medium
+* type: feature-request, enhancement
+* assigned: fredm, zsloan
+* keywords: gn-auth, authorisation
+
+## Description
+
+A developer or user could be needing to access some feature hidden behind some flag (so called, "feature flags"). Some of these flags are set using known (to the application and developer/user) GET parameters.
+
+If the user provides these get parameters before login, then go through the login process, the unknown GET parameters are dropped silently, and the user has to them manually set them up again. This, while not a big deal, is annoying and wastes a few seconds each time.
+
+This feature request proposes to pass any unknown GET parameters untouched through the authentication/authorisation server and back to the authenticating client during the login process, to mitigate this small annoyance.
diff --git a/issues/gn-auth/problems-with-roles.gmi b/issues/gn-auth/problems-with-roles.gmi
index 46f3c52..2778b61 100644
--- a/issues/gn-auth/problems-with-roles.gmi
+++ b/issues/gn-auth/problems-with-roles.gmi
@@ -3,9 +3,9 @@
 ## Tags
 
 * type: bug
-* status: open
 * priority: critical
 * assigned: fredm, zachs
+* status: closed, completed, fixed
 * keywords: gn-auth, authorisation, authorization, roles, privileges
 
 ## Description
@@ -29,8 +29,8 @@ The implementation should instead, tie the roles to the specific resource, rathe
 * [x] migration: Add `resource:role:[create|delete|edit]-role` privileges to `resource-owner` role
 * [x] migration: Create new `resource_roles` db table linking each resource to roles that can act on it, and the user that created the role
 * [x] migration: Drop table `group_roles` deleting all data in the table: data here could already have privilege escalation in place
-* [ ] Create a new "Roles" section on the "Resource-View" page, or a separate "Resource-Roles" page to handle the management of that resource's roles
-* [ ] Ensure user can only assign roles they have created - maybe?
+* [x] Create a new "Roles" section on the "Resource-View" page, or a separate "Resource-Roles" page to handle the management of that resource's roles
+* [x] Ensure user can only assign roles they have created - maybe?
 
 ### Fixes
 
@@ -39,3 +39,4 @@ The implementation should instead, tie the roles to the specific resource, rathe
 => https://git.genenetwork.org/gn-auth/commit/?h=handle-role-privilege-escalation&id=5d34332f356164ce539044f538ed74b983fcc706
 => https://git.genenetwork.org/gn-auth/commit/?h=handle-role-privilege-escalation&id=f691603a8e7a1700783b2be6f855f30d30f645f1
 => https://git.genenetwork.org/gn-auth/commit/?h=handle-role-privilege-escalation&id=2363842cc81132a2592d5cda98e6ebf1305e8482
+=> https://github.com/genenetwork/genenetwork2/commit/a7a8754a57594e5705fea8e5bbea391a09e8f64c
diff --git a/issues/gn-auth/registration.gmi b/issues/gn-auth/registration.gmi
index 6558a6d..61ea94a 100644
--- a/issues/gn-auth/registration.gmi
+++ b/issues/gn-auth/registration.gmi
@@ -2,8 +2,11 @@
 
 # Tags
 
+* type: bug
 * assigned: fredm
 * priority: critical
+* status: closed, completed, fixed
+* keywords: gn-auth, auth, authorisation, authentication, registration
 
 # Issues
 
diff --git a/issues/gn-auth/resources-duplicates-in-resources-list.gmi b/issues/gn-auth/resources-duplicates-in-resources-list.gmi
new file mode 100644
index 0000000..379c1eb
--- /dev/null
+++ b/issues/gn-auth/resources-duplicates-in-resources-list.gmi
@@ -0,0 +1,29 @@
+# Resources: Duplicates in Resources List
+
+## Tags
+
+* type: bug
+* status: closed
+* priority: medium
+* assigned: fredm, zachs, zsloan
+* keywords: gn-auth, auth, authorisation, resources
+
+## Reproduce
+
+* Go to https://genenetwork.org/
+* Sign in to the system
+* Click on "Profile" at the top to go to your profile page
+* Click on "Resources" on your profile page to see the resources you have access to
+
+## Expected
+
+Each resource appears on the list only one time
+
+## Actual
+
+Some resources appear more than once on the list
+
+
+## Fix
+
+=> https://git.genenetwork.org/gn-auth/commit/?id=00f863b3dcb76f5fdca8e139e903e2f7edb861fc
diff --git a/issues/gn-auth/rework-view-resource-page.gmi b/issues/gn-auth/rework-view-resource-page.gmi
new file mode 100644
index 0000000..2d6e145
--- /dev/null
+++ b/issues/gn-auth/rework-view-resource-page.gmi
@@ -0,0 +1,22 @@
+# Rework "View-Resource" Page
+
+## Tags
+
+* status: closed, completed
+* priority: medium
+* type: enhancement
+* assigned: fredm, zsloan
+* keywords: gn-auth, resource, resources, view resource
+
+## Description
+
+The view resource page ('/oauth2/resource/<uuid>/view') was built with only Genotype, Phenotype, and mRNA resources in mind.
+
+We have since moved on, and added more types of resources (group, system, inbredset-group, etc). This leads to the page breaking for these other types of resources.
+
+We need to update the UI and route to ensure the page renders correctly for each type, or at the very least, redirects to the correct page (e.g. in the case of groups, which have a separate "view group" page).
+
+
+## Close as complete
+
+This is fixed now.
diff --git a/issues/gn-auth/send-out-confirmation-emails-on-registration.gmi b/issues/gn-auth/send-out-confirmation-emails-on-registration.gmi
new file mode 100644
index 0000000..e32c7c0
--- /dev/null
+++ b/issues/gn-auth/send-out-confirmation-emails-on-registration.gmi
@@ -0,0 +1,15 @@
+# Send out Confimation Emails on Registration
+
+## Tags
+
+* status: closed, completed
+* assigned: fredm
+* priority: medium
+* type: feature request, feature-request
+* keywords: gn-auth, email, user registration, email confirmation
+
+## Description
+
+Send out a emails to confirm that the emails users provide are valid. Probably add a way to check that the user is confirmed before allowing user to do anything in the application.
+
+=> https://matrix.to/#/!mBYtTotZGiPpHmjJnI:matrix.org/$ZgWbOMJweND9L_W91i3dhoHSvxh4By3GTLjCc1xoS14?via=matrix.org
diff --git a/issues/gn-auth/test1-deployment-cant-find-templates.gmi b/issues/gn-auth/test1-deployment-cant-find-templates.gmi
index bd2f57e..ca3bfad 100644
--- a/issues/gn-auth/test1-deployment-cant-find-templates.gmi
+++ b/issues/gn-auth/test1-deployment-cant-find-templates.gmi
@@ -4,7 +4,7 @@
 
 * assigned: fredm, aruni
 * priority: critical
-* status: open
+* status: closed, completed, fixed
 * type: bug
 * keywords: gn-auth, deployment, test1