Koha
 » 
Koha - Dev (old list)

RFC: granular permissions

View: New views
1 Messages — Rating Filter:   Alert me  

RFC: granular permissions

by Galen Charlton :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hi,

For a customer project I've been working on an approach to make Koha's
staff user permissions more granular.  The initial scope of the
development is restricting access to individual items on the tools
page, but the mechanism can readily be expanded to cover all of Koha's
modules.

My idea is to reinterpret the existing user flags to describe access
to entire functional modules, then create a second level of
permissions under each flag/module.  For example, associated with the
tools flag are 15 sub-permissions, one for each tool.  If the staff
user has permission for any of the tools, the user can get to the
tools page, but only the ones that the user has specific access to are
displayed.  The user flags editing page now uses a tree instead of a
table, with a jQuery tree control to allow expanding and collapsing
the tree of available permissions.

There are two major changes to the API:

* get_template_and_user and its kin now consider the value of each key
in the flagsrequired hash, e.g.,:

flagsrequired => {tools => 'export_catalog'} # must have
export_catalog or all tools
flagsrequired => {tools => '*'} # must have permission for at least one tool
flagsrequired => {tools => 1} # must have permission for all tools

* the set of CAN_user_XXX template variables is expanded to included
the specific permissions, e.g., CAN_user_tools_export_catalog.  If a
user has access to all tools, all 15 of the CAN_user_tools_YYY
template variables are set.

The granular permissions mechanism can be turned off or on with the
CheckSpecificUserPermissions system preference; when that preference
is off, only the top-level user flags are displayed in the permissions
editor and are considered during authorization checks.  By default,
this syspref is off.  However, I think the syspref should be
temporary, and should go away after 3.2 at the latest.

The specifications I followed are available on the wiki at
http://wiki.koha.org/doku.php?id=granularpermissions.  The patches
implementing this feature are available for review at
http://manage-gmc.dev.kohalibrary.com/patches/granular/.

Regards,

Galen
--
Galen Charlton
Koha Application Developer
LibLime
galen.charlton@...
p: 1-888-564-2457 x709


_______________________________________________
Koha-devel mailing list
Koha-devel@...
http://lists.nongnu.org/mailman/listinfo/koha-devel
Free embeddable forum powered by Nabble Forum Help