source: main/waeup.kofa/trunk/docs/source/userdocs/users.rst @ 12951

Last change on this file since 12951 was 12930, checked in by Henrik Bettermann, 10 years ago

Integrate first Python test into handbook.

File size: 3.7 KB
RevLine 
[12829]1.. _users:
2
[12917]3Users
4*****
[12915]5
[12918]6Kofa distinguishes between four types of users: anonymous users,
7applicants, students, portal officers/managers and the Zope manager.
8Kofa distinguishes further between authenticated and unauthenticated
9users and between users with and without account object.
[12915]10
[12918]11The user authentication process in Kofa is quite complex. Briefly
12and in simple terms, a so-called authenticator (plugin) validates
13the credentials provided via the login form, fetches the matching
14account object, extracts the account data and finally leads to the
15creation of a temporary user object, a so-called principal. Kofa
16principals provide `name`, `title`, `email`, `phone`, `public_name`
17and `user_type` attributes.
[12915]18
[12922]19
[12915]20Anonymous
21=========
22
[12918]23Anonymous users do not authenticate and thus do not provide
24credentials. Their user id in logfiles is always ``zope.anybody``.
25These users gain two permissions: :py:class:`Anonymous
26<waeup.kofa.permissions.Anonymous>` and :py:class:`Public
27<waeup.kofa.permissions.Public>`.
[12915]28
[12918]29Only a few actions of anonymous users are logged. These are payment
30data webservice requests, the execution of password mandates and the
31self-registration of applicants.
[12915]32
33
34Applicants and Students
35=======================
36
[12918]37Logged-in applicants or students are regular authenticated Kofa
38users. Their user account object is an adaption of their
39applicant/student object. More precisely, the Applicant/Student
40authenticator fetches the matching applicant/student object and
41turns it on-the-fly into a Kofa account object which is further used
42for creating a principal instance. The `applicant_id`/`student_id`
43attribute becomes the user name and the `display_fullname` property
44serves as user title.
[12915]45
[12930]46.. _officers:
[12915]47
48Officers
49========
50
[12922]51.. seealso::
52
53   :ref:`Officers Doctests <userscontainer_txt>`
54
[12930]55   :ref:`Officers Python Test <test_suspended_officer>`
56
[12926]57Officers are users with a dedicated user account object stored in the
58``users`` container (of type :py:class:`UsersContainer
59<waeup.kofa.userscontainer.UsersContainer>`) which is located in Kofa's root
60container. The account object has three more attributes than the principal
61instance which is created from the account data: (1) a `suspended` attribute
62which allows to deactivate an account, (2) a `roles` attribute which is a list
63of global role names assigned to the officer, and (3) a private `_local_roles`
64attribute which maps local role names to lists of objects the respective local
65role applies to. This information is important because local role assignment
66is originally stored only with the objects the role applies to and not with
67the user who got the role. When removing an officer, Kofa iterates over the
68mapping and the list of objects in order to remove all these local role
69assignments denoted in the mapping.
[12915]70
[12918]71The management of portal officers is done in the 'Officers' section
[12926]72of Kofa. The management page shows all officers registered in the
[12918]73portal together with their global and local roles. The table can be
[12926]74easily sorted or filtered. Deactivated officer accounst are marked
75``(suspended)``.
[12915]76
77
78Manager
79=======
80
[12918]81There is one and only one manager account (user id ``zope.manager``)
82in Kofa. The manager has access to the root instance of the Kofa
83application which has its own user interface (see screenshot below).
84Through this 'Grok UI' the manager can access some basic functions
85to manage the database and also access the Kofa user interface.
[12916]86
87.. image:: Grok_UI.png
88
[12918]89Although the manager automatically gains all permissions the system
90defines, this real superuser (or emergency user) neither has an
91account in Kofa nor can access Kofa through its regular login page.
92The manager has to enter the portal through the Grok UI which
93usually ony runs on a localhost port, for example
94``http://localhost:8080``.
Note: See TracBrowser for help on using the repository browser.