Changes between Version 308 and Version 309 of Event/2011/GCI


Ignore:
Timestamp:
01/15/12 10:30:46 (10 years ago)
Author:
Pat Tressel
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • Event/2011/GCI

    v308 v309  
    234234 * This requires installing your own copy of Sahana Eden, since the version running at demo.eden.sahanafoundation.org has security set to the lowest level. When you have Eden installed and have copied the configuration file deployment-templates/models/000_config.py to models/000_config.py, edit your copy of models/000_config.py. Search for and un-comment the line that says "deployment_settings.security.policy = 6". That will set the security level to a high level.
    235235 * How security works is described here: http://eden.sahanafoundation.org/wiki/S3AAA
     236  * Most access restrictions are handled through "access control lists" (ACLs) on modules, database tables, and fields. Anything handled this was does not need explicit tests in the controller code, but you may still find some explicit tests for authorization in the module's controller file or in its model file.
    236237 * Appropriate modules to work on are those with multiple tables (and thus multiple forms) and where some data is restricted to particular "roles". Some suggested modules are: hms, hsm, org, asset, supply.
    237238 * You'll need to both read the code, to see what roles have permission to do various operations, and try out the various form operations: reading, creating, and editing records.
     
    249250  * An administrator can set roles for other users. Log in as your administrator, go to Administration -> User Management -> Roles
    250251 * For each form in the module, find out what each type of user is allowed to do, i.e. can they...
    251   * Read a record
     252  * Read a record (this doesn't allow editing)
    252253  * Create a record
    253   * Edit a record
     254  * Edit (update) a record
    254255  * Delete a record
    255256  * For creating and editing, are there any fields that they can't touch?
     257 * You may need to match up the form with the controller code that handles it. The URL for the form will look something like eden/module/function/action/... where "module" is the module name (e.g. "hms"), "function" is the name of a function in the module's controller file (these are usually named for database tables, e.g. in "hms", there is "hospital"), and "action" is what is happening to the record: read, create, update, delete. (If there is no action part of the URL, then it's "read").
    256258 * Write this up in the wiki.
    257259  * If you don't have on, register for an account here (http://eden.sahanafoundation.org).