TWiki> Developers Web>OpsAdmin>OpsAdminVersion022>AddRole (25 Aug 2008, IvanaCace)EditAttach

AddRole

Introduction

Project members should be able to view their own timesheets but no-one elses.

Functional description

An authenticated user can be authorized to have one of two roles:
  • opsadmin
  • projectmember
Which role is authorized depends on the LDAP group.

If a person in a projectmember role logs in to OpsAdmin, only the homepage and the report tabs should be accessible. In the report page it is not possible to select a person. The authenticated user is the default constraint to person.

Technical description

Authorization and authentication happen at 3 different locations:
newRole.png

  • ops_project authorization: set property gettimesheet_for_administrators_only to false in opsproject.properties. (Changes to ops_webdav are not required because users are allowed to access their own calendars.)

  • ops_admin:
    • In web.xml add extra projectmember role corresponding to OpsProject group in ldap. The value of this role should be configurable in Spring.
    • OPSAdminApplication overrides newSession, get userrole and id from the HttpServletRequest object and adds information about user role and the user id to the session.
    • All ops_admin pages inherit from OpsAdminPage, and have links to all the tabs. The admin links will be put in a fragment and only added is the user has the admin role.
    • A conditional will be added to Applications, making Report page the home page for user without the admin role. (Since the user cannot really choose a functionality other than report).
    • ReportPage will be refactored for readability.
    • A conditional is added checking ROLE and userid. If the user does not have the admin role, only this user is retrieved and the list of projects s filtered for current user.

Estimates

task hours todo
refactor ReportPage 4 0
check out ops_project and make it work locally 4 0
new! make ics files for non-admin users 4 0
add changes throughout the app 6 0
Total 18 0

Discussion

  • Isn't the project member role already implied? When a user is an ops user he/she is probably supposed to be a project member as that is the purpose of ops. The administrator role explicitly adds rights to this implied role.-- IvoVanDongen - 14 Aug 2008
  • I think there are more possible kinks in the cable (the webdav authentication servlet-for example). I think it would be best to create an inventory of the components/connections that are used in generating a report to identify all possible places where the authorization must be revised.- IvoVanDongen - 14 Aug 2008

-- IvanaCace - 06 Aug 2008

Attachments Attachments
Topic attachments
I Attachment Action Size Date Who Comment
pngpng newRole.png manage 35.2 K 21 Aug 2008 - 08:14 IvanaCace nr
Edit | Attach | Print version | History: r11 < r10 < r9 < r8 < r7 | Backlinks | Raw View | More topic actions
Topic revision: r11 - 25 Aug 2008 - 08:49:46 - IvanaCace

tip TWiki Tip of the Day
Breadcrumb
The breadcrumb of a topic shows you page hierarchy. It is constructed using a topic's parent setting ... Read on Read more

 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback