3 | | Roles are stored in the {{auth_group}}. |
4 | | |
5 | | These have no links to the groups in {{{pr_group}}}. |
6 | | |
7 | | We are currently adopting a simplistic 3-tier approach of Person -> Role -> Permissions. |
8 | | |
9 | | We consider that the 4-tier approach of Person -> Group -> Role -> Permissions is unnecessarily complex for users, despite giving strong flexibility & the potential for advanced admins to move persons into roles in bulk & including future members of the group. |
10 | | |
11 | | Roles for the currently logged-in user are cached in the session for easy access throughout Model, Controllers & Views. |
| 3 | * Roles are stored in the {{auth_group}}. |
| 4 | * These have no links to the groups in {{{pr_group}}}. |
| 5 | * We are currently adopting a simplistic 3-tier approach of Person -> Role -> Permissions. |
| 6 | * We consider that the 4-tier approach of Person -> Group -> Role -> Permissions is unnecessarily complex for users, despite giving strong flexibility & the potential for advanced admins to move persons into roles in bulk & including future members of the group. |
| 7 | * Roles for the currently logged-in user are cached in the session for easy access throughout Model, Controllers & Views. |
| 8 | * Replace {{{auth.has_membership(group)}}} in default modules menu in {{{01_modules.py}}} |
354 | | * Option: Introduce full-blown model of Persons -> Groups (pr_group) -> Roles (auth_group) -> Permissions |
355 | | * Downside: Extra layer of confusion for both Admins & Developers |
356 | | * Upside: Very flexible for Admins to manage which users (in bulk & future members) get what access to resources (subject to sufficient roles being made available by the developer) |
| 324 | |
| 325 | * '''FRP''': |
| 326 | * An 'IP User' is permitted to submit requests on behalf of his organisation. |
| 327 | 1. Hide 'Create Request' menu item unless this role present |
| 328 | 2. Restrict the 'create' right on the Requests table to members of this role |
| 329 | 3. In View request_create provide jQuery which hides the {{{or_organisation field}}} for people with this role. |
| 330 | 4. Match this server-side by providing a create_onvalidation hook which says that if someone in this role then set the Organisation to theirs. |
| 331 | * An 'IP Admin' is an 'IP User' who can, in addition, add new 'IP Users' to their organisation. |
| 332 | 1. just has the IP_Admin role added to menu unhiding |
| 333 | 2. just has the IP_Admin role added to restriction |
| 334 | 3. just has the IP_Admin role added to jQuery hide |
| 335 | 4. just has the IP_Admin role added to create_onvalidation |
| 336 | 5. Hide 'Add IP User' menu item unless this role present |
| 337 | * this takes you to a specialised auth_membership form with the IP_User role preselected (can be done in jQuery hiding the selected real dropdown & putting text up in visible part instead) |
| 338 | 6. Restrict the 'create' right on the {{{auth_membership}}} table to members of this role |
| 339 | 7. Provide onvalidation on auth_membership to set the group_id to 'IP_User' if this role is set |
| 340 | * A 'FAC User' is an 'IP Admin' for all organisations, but without 'IP User' permissions except for their own organisation (=WFP). |
| 341 | 1. just has the FAC_User role added to menu unhiding |
| 342 | 2. just has the FAC_User role added to restriction |
| 343 | 3. just has the FAC_User role added to jQuery hide |
| 344 | 4. just has the FAC_User role added to create_onvalidation |
| 345 | 5. takes to a normal form without the jQuery hiding (can be identical form just the jQuery doesn't activate for this role) |
| 346 | 6. just has the FAC_User role added to restriction |
| 347 | 7. just has the FAC_User role added to onvalidation |
| 348 | * A 'FAC Admin' is a 'FAC User' with additional 'IP User' permissions for all organisations. |
| 349 | 1. just has the FAC_Admin role added to menu unhiding |
| 350 | 2. just has the FAC_Admin role added to restriction |
| 351 | 3. has nothing special (jQuery doesn't activate for this role) |
| 352 | 4. has nothing special (no special onvalidation) |
| 353 | 5. takes to a normal form without the jQuery hiding (can be identical form just the jQuery doesn't activate for this role) |
| 354 | 6. just has the FAC_Admin role added to restriction |
| 355 | 7. just has the FAC_Admin role added to onvalidation |
| 356 | |