229 | | Find out and document the common business rules for access authorization to the module, test the module for the consistent implementation of these rules and document the results |
| 229 | Find out and document the common business rules for access authorization to the module, test the module for the consistent implementation of these rules and document the results. |
| 230 | |
| 231 | There is a discussion in the IRC log that may be helpful if you want to do this task. |
| 232 | See http://logs.sahanafoundation.org/sahana-eden/2012-01-15.txt starting at about 08:12:16. |
| 233 | A few notes: |
| 234 | * This requires installing your own copy of Sahana Eden, since the version running at demo.eden.sahanafoundation.org has security set to the lowest level. When you have Eden installed and have copied the configuration file deployment-templates/models/000_config.py to models/000_config.py, edit your copy of models/000_config.py. Search for and un-comment the line that says "deployment_settings.security.policy = 6". That will set the security level to a high level. |
| 235 | * How security works is described here: http://eden.sahanafoundation.org/wiki/S3AAA |
| 236 | * Create at least two users. The first user you register will be an "administrator". The second user will not have any special privileges. Some modules may have specialized roles so you may need extra users with those roles. Your administrator user can set roles for other users. |
| 237 | * Appropriate modules to work on are those with multiple tables (and thus multiple forms) and where some data is restricted to particular "roles". Some suggested modules are: hms, hsm, org, asset, supply. |
| 238 | * You'll need to both read the code, to see what roles have permission to do various operations, and try out the various form operations: reading, creating, and editing records. |
| 239 | * We're mainly concerned with roles that are defined in Eden. (Each site that installs Eden can add their own roles, in addition to the roles defined in Eden.) |
| 240 | * The major cases to look at are: |
| 241 | * Non-logged-in users |
| 242 | * Logged-in users without special privileges |
| 243 | * Administrators |
| 244 | * Some modules may have additional cases. For instance, hms has roles: |
| 245 | * Hospital Admin |
| 246 | * Hospital Staff |
| 247 | * For each form in the module, find out what each type of user is allowed to do, i.e. can they... |
| 248 | * Read a record |
| 249 | * Create a record |
| 250 | * Edit a record |
| 251 | * Delete a record |
| 252 | * For creating and editing, are there any fields that they can't touch? |