[12829] | 1 | .. _users: |
---|
| 2 | |
---|
[12917] | 3 | Users |
---|
| 4 | ***** |
---|
[12915] | 5 | |
---|
[12918] | 6 | Kofa distinguishes between four types of users: anonymous users, |
---|
| 7 | applicants, students, portal officers/managers and the Zope manager. |
---|
| 8 | Kofa distinguishes further between authenticated and unauthenticated |
---|
| 9 | users and between users with and without account object. |
---|
[12915] | 10 | |
---|
[12918] | 11 | The user authentication process in Kofa is quite complex. Briefly |
---|
| 12 | and in simple terms, a so-called authenticator (plugin) validates |
---|
| 13 | the credentials provided via the login form, fetches the matching |
---|
| 14 | account object, extracts the account data and finally leads to the |
---|
| 15 | creation of a temporary user object, a so-called principal. Kofa |
---|
| 16 | principals provide `name`, `title`, `email`, `phone`, `public_name` |
---|
| 17 | and `user_type` attributes. |
---|
[12915] | 18 | |
---|
| 19 | Anonymous |
---|
| 20 | ========= |
---|
| 21 | |
---|
[12918] | 22 | Anonymous users do not authenticate and thus do not provide |
---|
| 23 | credentials. Their user id in logfiles is always ``zope.anybody``. |
---|
| 24 | These users gain two permissions: :py:class:`Anonymous |
---|
| 25 | <waeup.kofa.permissions.Anonymous>` and :py:class:`Public |
---|
| 26 | <waeup.kofa.permissions.Public>`. |
---|
[12915] | 27 | |
---|
[12918] | 28 | Only a few actions of anonymous users are logged. These are payment |
---|
| 29 | data webservice requests, the execution of password mandates and the |
---|
| 30 | self-registration of applicants. |
---|
[12915] | 31 | |
---|
| 32 | |
---|
| 33 | Applicants and Students |
---|
| 34 | ======================= |
---|
| 35 | |
---|
[12918] | 36 | Logged-in applicants or students are regular authenticated Kofa |
---|
| 37 | users. Their user account object is an adaption of their |
---|
| 38 | applicant/student object. More precisely, the Applicant/Student |
---|
| 39 | authenticator fetches the matching applicant/student object and |
---|
| 40 | turns it on-the-fly into a Kofa account object which is further used |
---|
| 41 | for creating a principal instance. The `applicant_id`/`student_id` |
---|
| 42 | attribute becomes the user name and the `display_fullname` property |
---|
| 43 | serves as user title. |
---|
[12915] | 44 | |
---|
| 45 | |
---|
| 46 | Officers |
---|
| 47 | ======== |
---|
| 48 | |
---|
[12918] | 49 | Officers are users with a dedicated user account object stored in |
---|
| 50 | the ``users`` container (of type :py:class:`UsersContainer |
---|
| 51 | <waeup.kofa.userscontainer.UsersContainer>`) which is located in |
---|
| 52 | Kofa's root container. The officer account object has two more |
---|
| 53 | attributes than the principal instance which is created from the |
---|
| 54 | account data: (1) a `roles` attribute which is a list of global role |
---|
| 55 | names assigned to the officer, and (2) a private `_local_roles` |
---|
| 56 | attribute. The latter maps local role names to lists of objects the |
---|
| 57 | respective local role applies to. This information is important |
---|
| 58 | because local role assignment is originally stored only with the |
---|
| 59 | objects the role applies to and not with the user who got the role. |
---|
| 60 | When removing a user, Kofa iterates over the mapping and the list of |
---|
| 61 | objects in order to remove all these local role assignments denoted |
---|
| 62 | in the mapping. |
---|
[12915] | 63 | |
---|
[12918] | 64 | The management of portal officers is done in the 'Officers' section |
---|
| 65 | of Kofa. The management page shoes all officers registered in the |
---|
| 66 | portal together with their global and local roles. The table can be |
---|
| 67 | easily sorted or filtered. |
---|
[12915] | 68 | |
---|
| 69 | |
---|
| 70 | Manager |
---|
| 71 | ======= |
---|
| 72 | |
---|
[12918] | 73 | There is one and only one manager account (user id ``zope.manager``) |
---|
| 74 | in Kofa. The manager has access to the root instance of the Kofa |
---|
| 75 | application which has its own user interface (see screenshot below). |
---|
| 76 | Through this 'Grok UI' the manager can access some basic functions |
---|
| 77 | to manage the database and also access the Kofa user interface. |
---|
[12916] | 78 | |
---|
| 79 | .. image:: Grok_UI.png |
---|
| 80 | |
---|
[12918] | 81 | Although the manager automatically gains all permissions the system |
---|
| 82 | defines, this real superuser (or emergency user) neither has an |
---|
| 83 | account in Kofa nor can access Kofa through its regular login page. |
---|
| 84 | The manager has to enter the portal through the Grok UI which |
---|
| 85 | usually ony runs on a localhost port, for example |
---|
| 86 | ``http://localhost:8080``. |
---|