Changes between Version 61 and Version 62 of BluePrintAuthorization


Ignore:
Timestamp:
06/19/10 22:47:46 (11 years ago)
Author:
Fran Boon
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • BluePrintAuthorization

    v61 v62  
    11= !BluePrint for Authorization =
    22== Roles ==
    3 Roles are stored in the {{auth_group}}.
    4 
    5 These have no links to the groups in {{{pr_group}}}.
    6 
    7 We are currently adopting a simplistic 3-tier approach of Person -> Role -> Permissions.
    8 
    9 We consider that the 4-tier approach of Person -> Group -> Role -> Permissions is unnecessarily complex for users, despite giving strong flexibility & the potential for advanced admins to move persons into roles in bulk & including future members of the group.
    10 
    11 Roles for the currently logged-in user are cached in the session for easy access throughout Model, Controllers & Views.
     3 * Roles are stored in the {{auth_group}}.
     4 * These have no links to the groups in {{{pr_group}}}.
     5 * We are currently adopting a simplistic 3-tier approach of Person -> Role -> Permissions.
     6 * We consider that the 4-tier approach of Person -> Group -> Role -> Permissions is unnecessarily complex for users, despite giving strong flexibility & the potential for advanced admins to move persons into roles in bulk & including future members of the group.
     7 * Roles for the currently logged-in user are cached in the session for easy access throughout Model, Controllers & Views.
     8  * Replace {{{auth.has_membership(group)}}} in default modules menu in {{{01_modules.py}}}
    129In {{{models/00_utils.py}}}:
    1310{{{
     
    2623    session.s3.roles = roles
    2724}}}
     25
     26=== Caching ===
     27Cache should be invalidated as part of the onaccept for auth_group.update()
     28 * This can be done by storing a key in the session & changing the key (Dominic to expand...)
     29
    2830== Restrictions ==
    2931=== Module restriction ===
     
    3133 * Add Controller check as well as menu check.
    3234  * {{{appadmin.py}}} & {{{dvi.py}}} have these already
     35   * need modifying to use {{{session.s3.roles}}}
    3336 * Configure permissions in {{{000_config.py}}} instead of {{{01_modules.py}}}
    3437  * Change {{{deployment_settings.modules}}} from a list of strings to a Storage()
     
    6770 * ~~Decorator function : @auth.requires_membership("Administrator")~~
    6871  * doesn't support OR, doesn't support NOT
     72  * not efficient now we have {{{session.s3.roles}}}
    6973 * We need to write a function which handles OR & NOT: {{{shn_role_check(1, 2, not=(3))}}}
    7074 * Developer can put in additional manual restrictions or alternate routes, as-required
     
    107111        deleted = 1
    108112
    109     try:
    110         user_id = auth.user.id
    111         _memberships = db.auth_membership
    112         memberships = db(_memberships.user_id == user_id).select(_memberships.group_id, cache=(cache.ram, 60))
    113     except:
    114         memberships = None
    115    
    116     roles = []
    117     for membership in memberships:
    118         roles.append(membership.group_id)
     113    roles = session.s3.roles
    119114
    120115    if 1 in roles:
     
    151146    """
    152147
    153     try:
    154         user_id = auth.user.id
    155         _memberships = db.auth_membership
    156         memberships = db(_memberships.user_id == user_id).select(_memberships.group_id, cache=(cache.ram, 60))
    157     except:
    158         memberships = None
    159    
    160     roles = []
    161     for membership in memberships:
    162         roles.append(membership.group_id)
     148    roles = session.s3.roles
    163149
    164150    table = db[tablename]
     
    262248 * In model (for access by all controllers, such as sync):
    263249{{{
    264 try:
    265     user_id = auth.user.id
    266     _memberships = db.auth_membership
    267     memberships = db(_memberships.user_id == user_id).select(_memberships.group_id, cache=(cache.ram, 60))
    268 except:
    269     memberships = None
    270 
    271 roles = []
    272 for membership in memberships:
    273     roles.append(membership.group_id)
    274 
    275250if 1 not in roles and deployment_settings.auth.roles["MyRole"] not in roles:
    276     table.field.readable = False
    277 }}}
    278   * NB If doing this then the roles checks inside {{{shn_has_permission()}}} & {{{shn_accessible_fields()}}} should be modified to read this global value instead of more DAL queries (even cached)!
     251    table.field1.readable = False
     252    table.field2.writable = False
     253}}}
    279254
    280255=== Location restriction ===
     
    307282    * means extra logic every CRUD check when most resources don't need this
    308283   
    309 === Caching ===
    310 Permissions are cached to reduce overheads.
    311  * Cache should be invalidated as part of the onaccept for auth_group.update()
    312   * This can be done by storing a key in the session & changing the key (Dominic to expand...)
    313 
    314284=== Visibility of Options ===
    315285Ideally options which a user doesn't have permission for should be hidden from them.
     
    352322 * '''FRP''': if a user has a role which would normally be granted permission to a resource has another role, then deny them access instead.
    353323  * {{{shn_role_check}}} covers this: [wiki:BluePrintAuthorization#Functionrestriction]
    354   * Option: Introduce full-blown model of Persons -> Groups (pr_group) -> Roles (auth_group) -> Permissions
    355    * Downside: Extra layer of confusion for both Admins & Developers
    356    * Upside: Very flexible for Admins to manage which users (in bulk & future members) get what access to resources (subject to sufficient roles being made available by the developer)
     324
     325 * '''FRP''':
     326  * An 'IP User' is permitted to submit requests on behalf of his organisation.
     327   1. Hide 'Create Request' menu item unless this role present
     328   2. Restrict the 'create' right on the Requests table to members of this role
     329   3. In View request_create provide jQuery which hides the {{{or_organisation field}}} for people with this role.
     330   4. Match this server-side by providing a create_onvalidation hook which says that if someone in this role then set the Organisation to theirs.
     331  * An 'IP Admin' is an 'IP User' who can, in addition, add new 'IP Users' to their organisation.
     332   1. just has the IP_Admin role added to menu unhiding
     333   2. just has the IP_Admin role added to restriction
     334   3. just has the IP_Admin role added to jQuery hide
     335   4. just has the IP_Admin role added to create_onvalidation
     336   5. Hide 'Add IP User' menu item unless this role present
     337    * this takes you to a specialised auth_membership form with the IP_User role preselected (can be done in jQuery hiding the selected real dropdown & putting text up in visible part instead)
     338   6. Restrict the 'create' right on the {{{auth_membership}}} table to members of this role
     339   7. Provide onvalidation on auth_membership to set the group_id to 'IP_User' if this role is set
     340  * A 'FAC User' is an 'IP Admin' for all organisations, but without 'IP User' permissions except for their own organisation (=WFP).
     341   1. just has the FAC_User role added to menu unhiding
     342   2. just has the FAC_User role added to restriction
     343   3. just has the FAC_User role added to jQuery hide
     344   4. just has the FAC_User role added to create_onvalidation
     345   5. takes to a normal form without the jQuery hiding (can be identical form just the jQuery doesn't activate for this role)
     346   6. just has the FAC_User role added to restriction
     347   7. just has the FAC_User role added to onvalidation
     348  * A 'FAC Admin' is a 'FAC User' with additional 'IP User' permissions for all organisations.
     349   1. just has the FAC_Admin role added to menu unhiding
     350   2. just has the FAC_Admin role added to restriction
     351   3. has nothing special (jQuery doesn't activate for this role)
     352   4. has nothing special (no special onvalidation)
     353   5. takes to a normal form without the jQuery hiding (can be identical form just the jQuery doesn't activate for this role)
     354   6. just has the FAC_Admin role added to restriction
     355   7. just has the FAC_Admin role added to onvalidation
     356
    357357----
    358358BluePrintAuthenticationAccess