Changes between Version 23 and Version 24 of BluePrintOrganisationRegistry
- Timestamp:
- 03/11/11 10:50:24 (14 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
BluePrintOrganisationRegistry
v23 v24 27 27 * {{{supervisor}}} - This gives the options for more permissive permissions for some staff. 28 28 29 This is done by the {{{shn_create_record_roles}}} function in {{{models/05_org.py}}}, which can be called from a org or site onaccept by using:29 This is done by the {{{shn_create_record_roles}}} function in {{{models/05_org.py}}}, which can be called from a org or site onaccept by configuring the onaccept for that resource as following: 30 30 {{{ 31 # Create roles for each organisation 31 # Create roles for each organisation / site instance 32 32 s3xrc.model.configure(table, 33 33 onaccept = shn_staff_join_onaccept_func(tablename)) 34 34 }}} 35 (This code should be called after the resource table is defined in the model) 35 36 36 37 === Enabling Staff Permissions === 37 38 1. Set: 38 39 {{{ 39 deployment_settings.security.policy = 3 # Controller-ACLs 40 deployment_settings.security.policy = 3 # Controller-ACLs. 4 & 5 will also work 40 41 deployment_settings.aaa.has_staff_permissions = True 41 deployment_settings.aaa.staff_acl = Permissions for staff 42 deployment_settings.aaa.supervisor_acl = Permissions for s taff flagged as "supervisor"42 deployment_settings.aaa.staff_acl = Permissions for staff role 43 deployment_settings.aaa.supervisor_acl = Permissions for supervisor role 43 44 }}} 44 2. Add staff to organisations and sites 45 2. When a new organisation or site instance is created: 46 i. The current user is added as a Staff (with supervisor set) to the record 47 i. New roles (staff & supervisor) are automatically created for that record (<tablename>_staff_id & <tablename>_supervisor_id). 48 i. The current user is added as a member of both of those roles. 49 50 3. Add staff to organisations and sites to grant them permission 45 51 46 52 === Inheriting Permissions === 47 To allow other components inherit the same permissions as the primary resource, the following function can be called, to add a onaccept function which will copy the "owned_by_role" from the primary resource 53 To allow other components inherit the same permissions as the primary resource, the following function can be called, to add a onaccept function which will copy the "owned_by_role" from the primary resource. This onaccept should be added to the onaccept for the component resource. 48 54 {{{ 49 55 # Update owned_by_role to the site's owned_by_role … … 57 63 }}} 58 64 65 The staff component resource itself currently inherit permissions from sites not organisations, because this is LESS permissive. This may need to become a deployment setting. 59 66 60 67 === To Do === 61 68 * How to handle permissions for site resources - should they inherit permissions from an organisation resource? 69 * No, they have their own permissions which are more specific than the organisation permissions, but... 70 * Have an deployment_setting to switch between: 71 a. Sites having their own permissions according to the staff of that site 72 a. All sites inheriting their permissions from the organisation's staff (site's owned_by_role = org_organisation_staff role) 73 * Allow staff for Organisation to be marked as "admin" (or something) and have them ALWAYS have permissions for any site belonging to the organisation 62 74 * if a single person is assigned as staff to multiple sites or organisations, there will be multiple site records for this person. This may cause confusion when creating staff lists. Perhaps the data structure should be revised to accommodate this. 63 75
