Changes between Version 302 and Version 303 of Event/2011/GCI


Ignore:
Timestamp:
01/15/12 09:49:16 (10 years ago)
Author:
Pat Tressel
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • Event/2011/GCI

    v302 v303  
    227227
    228228=== Test a Sahana Eden module for correct access authorization ===
    229 Find out and document the common business rules for access authorization to the module, test the module for the consistent implementation of these rules and document the results
     229Find out and document the common business rules for access authorization to the module, test the module for the consistent implementation of these rules and document the results.
     230
     231There is a discussion in the IRC log that may be helpful if you want to do this task.
     232See http://logs.sahanafoundation.org/sahana-eden/2012-01-15.txt starting at about 08:12:16.
     233A few notes:
     234 * This requires installing your own copy of Sahana Eden, since the version running at demo.eden.sahanafoundation.org has security set to the lowest level. When you have Eden installed and have copied the configuration file deployment-templates/models/000_config.py to models/000_config.py, edit your copy of models/000_config.py. Search for and un-comment the line that says "deployment_settings.security.policy = 6". That will set the security level to a high level.
     235 * How security works is described here: http://eden.sahanafoundation.org/wiki/S3AAA
     236 * Create at least two users. The first user you register will be an "administrator". The second user will not have any special privileges. Some modules may have specialized roles so you may need extra users with those roles. Your administrator user can set roles for other users.
     237 * Appropriate modules to work on are those with multiple tables (and thus multiple forms) and where some data is restricted to particular "roles". Some suggested modules are: hms, hsm, org, asset, supply.
     238 * You'll need to both read the code, to see what roles have permission to do various operations, and try out the various form operations: reading, creating, and editing records.
     239 * We're mainly concerned with roles that are defined in Eden. (Each site that installs Eden can add their own roles, in addition to the roles defined in Eden.)
     240  * The major cases to look at are:
     241   * Non-logged-in users
     242   * Logged-in users without special privileges
     243   * Administrators
     244  * Some modules may have additional cases. For instance, hms has roles:
     245   * Hospital Admin
     246   * Hospital Staff
     247 * For each form in the module, find out what each type of user is allowed to do, i.e. can they...
     248  * Read a record
     249  * Create a record
     250  * Edit a record
     251  * Delete a record
     252  * For creating and editing, are there any fields that they can't touch?
    230253'''''Migrated'''''
    231254