-
Notifications
You must be signed in to change notification settings - Fork 277
Software design documents
We are working on a feature to be able to define access level per different objects based on user's role. As a field for role we plan to use existing userCategory, that is in OpenCATS based on License not used (category 'careerportal' or has similar functionality to role.
It is planed to make the feature backward compatible, that is when accessLevel configuration not defined, then defined accessLevel per user is used. When configuration userCategory -> securedObject -> accessLevel is defined, then accessLevel is calculated based on category where user is defined.
Currently we published on github first step, we have replaced of usage $accessLevel directly using calculation of access level in funcion in session with parameter securedObjectName. We changed signature CATSSession.getAccessLevel() to CATSSession.getAccessLevel($securedObjectName), made CATSSession.accessLevel unavailable and replaced all usage of CATSSession.accessLevel with CATSSession.getAccessLevel($securedObjectName)
Please check current status and comment at this pull request: https://github.com/AnritsuSolutionsSK/OpenCATS/pull/1
Further steps planed: to get rid off all direct usage of $accessLevel with calculation of access level for securedObjectName. to add implementation of support for access level configuration for user category and secured object to correct securedObjectNames on places where is not properly defined. For 1st step it is necessary to re-implement some generic functionality, any comments are for that step welcome.
Overview of configuration:
$permissions = array();
`$permissions['role1']['candidates'] = ACCESS_LEVEL_MULTI_SA;`
`$permissions['role1']['candidates.logActivityChangeStatus'] = ACCESS_LEVEL_DELETE;`
`$permissions['role1']['candidates.addCandidate'] = ACCESS_LEVEL_READ;`
`$permissions['role1']['calendar'] = ACCESS_LEVEL_READ;`
`$permissions['role2']['candidates'] = ACCESS_LEVEL_MULTI_SA;`
`$permissions['role2']['candidates.addCandidate'] = ACCESS_LEVEL_EDIT;`
`$permissions['role2']['calendar'] = ACCESS_LEVEL_DISABLED;`
Overview of calculation:
User1 has defined accessLevel=ACCESS_LEVEL_READ and has category=role1.
User2 has defined accessLevel=ACCESS_LEVEL_DELETE and has category=role2.
Examples of calculations:
user1.getAccessLevel('candidates.logActivityChangeStatus') returns ACCESS_LEVEL_DELETE
user2.getAccessLevel('candidates.logActivityChangeStatus') returns ACCESS_LEVEL_MULTI_SA (reused accessLevel from 'parent' category='candidates')
user1.getAccessLevel('contacts') returns ACCESS_LEVEL_READ (category for role not defined so users defined access level used)
user1.getAccessLevel('') returns ACCESS_LEVEL_READ (root securedObject accessLevel requested so users defined access level used)
user2.getAccessLevel('') returns ACCESS_LEVEL_DELETE (root securedObject accessLevel requested so users defined access level used)
Please comment.
User support for OpenCATS and Developer slack group
Please join the discussion - everyone's input is welcome and needed if we're to make this application kick-ass! If you need access to the slack channel, email RussH