[12829] | 1 | .. _users: |
---|
| 2 | |
---|
[12917] | 3 | Users |
---|
| 4 | ***** |
---|
[12915] | 5 | |
---|
[12918] | 6 | Kofa distinguishes between four types of users: anonymous users, |
---|
| 7 | applicants, students, portal officers/managers and the Zope manager. |
---|
| 8 | Kofa distinguishes further between authenticated and unauthenticated |
---|
| 9 | users and between users with and without account object. |
---|
[12915] | 10 | |
---|
[12918] | 11 | The user authentication process in Kofa is quite complex. Briefly |
---|
| 12 | and in simple terms, a so-called authenticator (plugin) validates |
---|
| 13 | the credentials provided via the login form, fetches the matching |
---|
| 14 | account object, extracts the account data and finally leads to the |
---|
| 15 | creation of a temporary user object, a so-called principal. Kofa |
---|
| 16 | principals provide `name`, `title`, `email`, `phone`, `public_name` |
---|
| 17 | and `user_type` attributes. |
---|
[12915] | 18 | |
---|
[12922] | 19 | |
---|
[12915] | 20 | Anonymous |
---|
| 21 | ========= |
---|
| 22 | |
---|
[12918] | 23 | Anonymous users do not authenticate and thus do not provide |
---|
| 24 | credentials. Their user id in logfiles is always ``zope.anybody``. |
---|
| 25 | These users gain two permissions: :py:class:`Anonymous |
---|
| 26 | <waeup.kofa.permissions.Anonymous>` and :py:class:`Public |
---|
| 27 | <waeup.kofa.permissions.Public>`. |
---|
[12915] | 28 | |
---|
[12918] | 29 | Only a few actions of anonymous users are logged. These are payment |
---|
| 30 | data webservice requests, the execution of password mandates and the |
---|
| 31 | self-registration of applicants. |
---|
[12915] | 32 | |
---|
[12968] | 33 | .. _applicants_and_students: |
---|
[12915] | 34 | |
---|
| 35 | Applicants and Students |
---|
| 36 | ======================= |
---|
| 37 | |
---|
[12918] | 38 | Logged-in applicants or students are regular authenticated Kofa |
---|
| 39 | users. Their user account object is an adaption of their |
---|
| 40 | applicant/student object. More precisely, the Applicant/Student |
---|
| 41 | authenticator fetches the matching applicant/student object and |
---|
| 42 | turns it on-the-fly into a Kofa account object which is further used |
---|
| 43 | for creating a principal instance. The `applicant_id`/`student_id` |
---|
| 44 | attribute becomes the user name and the `display_fullname` property |
---|
| 45 | serves as user title. |
---|
[12915] | 46 | |
---|
[12930] | 47 | .. _officers: |
---|
[12915] | 48 | |
---|
| 49 | Officers |
---|
| 50 | ======== |
---|
| 51 | |
---|
[12922] | 52 | .. seealso:: |
---|
| 53 | |
---|
| 54 | :ref:`Officers Doctests <userscontainer_txt>` |
---|
| 55 | |
---|
[12930] | 56 | :ref:`Officers Python Test <test_suspended_officer>` |
---|
| 57 | |
---|
[12926] | 58 | Officers are users with a dedicated user account object stored in the |
---|
| 59 | ``users`` container (of type :py:class:`UsersContainer |
---|
| 60 | <waeup.kofa.userscontainer.UsersContainer>`) which is located in Kofa's root |
---|
| 61 | container. The account object has three more attributes than the principal |
---|
| 62 | instance which is created from the account data: (1) a `suspended` attribute |
---|
| 63 | which allows to deactivate an account, (2) a `roles` attribute which is a list |
---|
| 64 | of global role names assigned to the officer, and (3) a private `_local_roles` |
---|
| 65 | attribute which maps local role names to lists of objects the respective local |
---|
| 66 | role applies to. This information is important because local role assignment |
---|
| 67 | is originally stored only with the objects the role applies to and not with |
---|
| 68 | the user who got the role. When removing an officer, Kofa iterates over the |
---|
| 69 | mapping and the list of objects in order to remove all these local role |
---|
| 70 | assignments denoted in the mapping. |
---|
[12915] | 71 | |
---|
[12918] | 72 | The management of portal officers is done in the 'Officers' section |
---|
[12926] | 73 | of Kofa. The management page shows all officers registered in the |
---|
[12918] | 74 | portal together with their global and local roles. The table can be |
---|
[12926] | 75 | easily sorted or filtered. Deactivated officer accounst are marked |
---|
| 76 | ``(suspended)``. |
---|
[12915] | 77 | |
---|
| 78 | |
---|
| 79 | Manager |
---|
| 80 | ======= |
---|
| 81 | |
---|
[12918] | 82 | There is one and only one manager account (user id ``zope.manager``) |
---|
| 83 | in Kofa. The manager has access to the root instance of the Kofa |
---|
| 84 | application which has its own user interface (see screenshot below). |
---|
| 85 | Through this 'Grok UI' the manager can access some basic functions |
---|
| 86 | to manage the database and also access the Kofa user interface. |
---|
[12916] | 87 | |
---|
| 88 | .. image:: Grok_UI.png |
---|
| 89 | |
---|
[12918] | 90 | Although the manager automatically gains all permissions the system |
---|
| 91 | defines, this real superuser (or emergency user) neither has an |
---|
| 92 | account in Kofa nor can access Kofa through its regular login page. |
---|
| 93 | The manager has to enter the portal through the Grok UI which |
---|
| 94 | usually ony runs on a localhost port, for example |
---|
| 95 | ``http://localhost:8080``. |
---|