1 | .. _users: |
---|
2 | |
---|
3 | Users |
---|
4 | ***** |
---|
5 | |
---|
6 | Kofa distinguishes between four types of users: anonymous users, |
---|
7 | applicants, students, portal officers/managers and the Zope manager. |
---|
8 | Kofa distinguishes further between authenticated and unauthenticated |
---|
9 | users and between users with and without account object. |
---|
10 | |
---|
11 | The user authentication process in Kofa is quite complex. Briefly |
---|
12 | and in simple terms, a so-called authenticator (plugin) validates |
---|
13 | the credentials provided via the login form, fetches the matching |
---|
14 | account object, extracts the account data and finally leads to the |
---|
15 | creation of a temporary user object, a so-called principal. Kofa |
---|
16 | principals provide `name`, `title`, `email`, `phone`, `public_name` |
---|
17 | and `user_type` attributes. |
---|
18 | |
---|
19 | |
---|
20 | Anonymous |
---|
21 | ========= |
---|
22 | |
---|
23 | Anonymous users do not authenticate and thus do not provide |
---|
24 | credentials. Their user id in logfiles is always ``zope.anybody``. |
---|
25 | These users gain two permissions: :py:class:`Anonymous |
---|
26 | <waeup.kofa.permissions.Anonymous>` and :py:class:`Public |
---|
27 | <waeup.kofa.permissions.Public>`. |
---|
28 | |
---|
29 | Only a few actions of anonymous users are logged. These are payment |
---|
30 | data webservice requests, the execution of password mandates and the |
---|
31 | self-registration of applicants. |
---|
32 | |
---|
33 | .. _applicants_and_students: |
---|
34 | |
---|
35 | Applicants and Students |
---|
36 | ======================= |
---|
37 | |
---|
38 | Logged-in applicants or students are regular authenticated Kofa |
---|
39 | users. Their user account object is an adaption of their |
---|
40 | applicant/student object. More precisely, the Applicant/Student |
---|
41 | authenticator fetches the matching applicant/student object and |
---|
42 | turns it on-the-fly into a Kofa account object which is further used |
---|
43 | for creating a principal instance. The `applicant_id`/`student_id` |
---|
44 | attribute becomes the user name and the `display_fullname` property |
---|
45 | serves as user title. |
---|
46 | |
---|
47 | .. _officers: |
---|
48 | |
---|
49 | Officers |
---|
50 | ======== |
---|
51 | |
---|
52 | .. seealso:: |
---|
53 | |
---|
54 | :ref:`Officers Doctests <userscontainer_txt>` |
---|
55 | |
---|
56 | :ref:`Officers Python Test <test_suspended_officer>` |
---|
57 | |
---|
58 | Officers are users with a dedicated user account object stored in the |
---|
59 | ``users`` container (of type :py:class:`UsersContainer |
---|
60 | <waeup.kofa.userscontainer.UsersContainer>`) which is located in Kofa's root |
---|
61 | container. The account object has three more attributes than the principal |
---|
62 | instance which is created from the account data: (1) a `suspended` attribute |
---|
63 | which allows to deactivate an account, (2) a `roles` attribute which is a list |
---|
64 | of global role names assigned to the officer, and (3) a private `_local_roles` |
---|
65 | attribute which maps local role names to lists of objects the respective local |
---|
66 | role applies to. This information is important because local role assignment |
---|
67 | is originally stored only with the objects the role applies to and not with |
---|
68 | the user who got the role. When removing an officer, Kofa iterates over the |
---|
69 | mapping and the list of objects in order to remove all these local role |
---|
70 | assignments denoted in the mapping. |
---|
71 | |
---|
72 | The management of portal officers is done in the 'Officers' section |
---|
73 | of Kofa. The management page shows all officers registered in the |
---|
74 | portal together with their global and local roles. The table can be |
---|
75 | easily sorted or filtered. Deactivated officer accounst are marked |
---|
76 | ``(suspended)``. |
---|
77 | |
---|
78 | |
---|
79 | Manager |
---|
80 | ======= |
---|
81 | |
---|
82 | There is one and only one manager account (user id ``zope.manager``) |
---|
83 | in Kofa. The manager has access to the root instance of the Kofa |
---|
84 | application which has its own user interface (see screenshot below). |
---|
85 | Through this 'Grok UI' the manager can access some basic functions |
---|
86 | to manage the database and also access the Kofa user interface. |
---|
87 | |
---|
88 | .. image:: Grok_UI.png |
---|
89 | |
---|
90 | Although the manager automatically gains all permissions the system |
---|
91 | defines, this real superuser (or emergency user) neither has an |
---|
92 | account in Kofa nor can access Kofa through its regular login page. |
---|
93 | The manager has to enter the portal through the Grok UI which |
---|
94 | usually ony runs on a localhost port, for example |
---|
95 | ``http://localhost:8080``. |
---|