| | 1 | = Record Approval = |
| | 2 | [[TOC]] |
| | 3 | |
| | 4 | The S3 '''Record Approval Framework''' hides records which have not yet been reviewed and approved by an authorized user. |
| | 5 | |
| | 6 | == Unapproved Records == |
| | 7 | |
| | 8 | Whether a record is approved or not is encoded as {{{approved_by}}} field in the record. The field is either None (unapproved record) or holds the user ID of the approving user (approved record). |
| | 9 | |
| | 10 | For tables which require approval, this field is mandatory (field type "integer" or "reference auth_user"). The default value for this field is None, i.e. all new records are unapproved by default. This field should not be editable, i.e. writable=False. |
| | 11 | |
| | 12 | == Workflow == |
| | 13 | |
| | 14 | The intended workflow for approval is: |
| | 15 | |
| | 16 | - user creates a new record => record is unapproved by default (i.e. approved_by=None) |
| | 17 | - unapproved records are treated as invalid and excluded from any kind of workflow (i.e. invisible) except for review/approval |
| | 18 | - user with approval role reviews the record and either approves or rejects it |
| | 19 | - approve sets the approved_by field of the record to the approving users ID |
| | 20 | - reject deletes the record and all its dependencies |
| | 21 | - approved records are now available for all workflows, except for review/approval |
| | 22 | |
| | 23 | Developer notes: |
| | 24 | |
| | 25 | - ''it should not be possible to import pre-approved records, otherwise this would allow unauthorized users to circumvent the approval framework'' |
| | 26 | - ''unapproved records should be disregarded in Sync, because otherwise this introduces the same hole as above: the user could approve the record in a remote instance where he is Admin and synchronize it back. Apart from that, circulation of unapproved records turns the purpose of approval somewhat upside down.'' |
| | 27 | |
| | 28 | == Configuration == |
| | 29 | |
| | 30 | The Record Approval Framework can be turned '''on/off globally''' by a deployment setting: |
| | 31 | |
| | 32 | {{{ |
| | 33 | settings.auth.record_approval = True |
| | 34 | }}} |
| | 35 | |
| | 36 | Default is False. |
| | 37 | |
| | 38 | In addition to activating record approval, you will also need to set the role which is permitted to review/approve/reject records: |
| | 39 | |
| | 40 | {{{ |
| | 41 | settings.auth.record_approver_role = <role_uid> |
| | 42 | }}} |
| | 43 | |
| | 44 | The permission to review/approve/reject records of this role is realm-limited (see [wiki:S3AAA/OrgAuth] for more details). |
| | 45 | |
| | 46 | Admin can always see all records, regardless whether they are approved or not. Other users can only see approved records, unless they have the approver role and use one of the approval methods "review", "approve", "reject". |
| | 47 | |
| | 48 | Whether record approval is required can be configured '''per table''' like: |
| | 49 | |
| | 50 | {{{ |
| | 51 | s3db.configure(tablename, requires_approval=True) |
| | 52 | }}} |
| | 53 | |
| | 54 | Default is False. |
| | 55 | |
| | 56 | For a '''deployment-specific''' approval configuration, you can override all table-specific settings with: |
| | 57 | |
| | 58 | {{{ |
| | 59 | settings.auth.record_approval_required_for = [tablename, tablename] |
| | 60 | }}} |
| | 61 | |
| | 62 | Record approval will then only be applied to those tables in the list. If you set this to {{{None}}}, it will fall back to the table-specific settings. |
| | 63 | |
| | 64 | == Methods to Approve or Reject Records == |
| | 65 | |
| | 66 | S3Resource implements two low-level methods for record approval: |
| | 67 | |
| | 68 | {{{ |
| | 69 | resource.approve() |
| | 70 | }}} |
| | 71 | ...to approve all records in a resource (and all its components), and |
| | 72 | |
| | 73 | {{{ |
| | 74 | resource.reject() |
| | 75 | }}} |
| | 76 | ...to reject (=delete) all unapproved records in a resource. |
| | 77 | |
| | 78 | S3CRUD shall implement the following methods: |
| | 79 | |
| | 80 | {{{ |
| | 81 | /controller/function/review |
| | 82 | }}} |
| | 83 | ...to see all unapproved records in a resource, or: |
| | 84 | {{{ |
| | 85 | /controller/function/XY/review |
| | 86 | }}} |
| | 87 | ...to review a particular record, which then gives the user the option to either: |
| | 88 | |
| | 89 | {{{ |
| | 90 | POST /controller/function/XY/approve |
| | 91 | }}} |
| | 92 | ...approve the record, or: |
| | 93 | {{{ |
| | 94 | POST /controller/function/XY/reject |
| | 95 | }}} |
| | 96 | ...reject it. |
| | 97 | |
| | 98 | '''NOTE:''' resource.reject() is much more rigorous about record deletion than delete() - it will try to ignore any RESTRICTs and rigirously delete any dependency, because otherwise unapproved records could still leave a legacy behind which is not desirable. However, that means that reject() must always be properly authorized and strictly limited to unapproved records in tables which require approval. |
| | 99 | |
| | 100 | '''Developer note:''' ''GET to {{{approve}}} or {{{reject}}} shall forward to {{{review}}} (for REST compliance)'' |
| | 101 | '''Developer note:''' ''If {{{approve}}} or {{{reject}}} are called without record ID, they shall raise a "Record Not Found" error rather than to approve/reject all unapproved records as per the requirement that a record can only be approved/rejects after it has been reviewed (=no bulk approval/reject).'' |
| | 102 | |
| | 103 | == Callbacks == |
| | 104 | |
| | 105 | For both, resource.approve() and resource.reject(), there are hooks which will be called for each record that gets approved/rejected: |
| | 106 | |
| | 107 | {{{ |
| | 108 | s3db.configure(tablename, onapprove=function) |
| | 109 | s3db.configure(tablename, onreject=function) |
| | 110 | }}} |
| | 111 | |
| | 112 | The hook function must table {{{(table, row)}}} as parameter, and doesn't return anything. |
