Changeset 12847


Ignore:
Timestamp:
3 Apr 2015, 17:45:48 (10 years ago)
Author:
Henrik Bettermann
Message:

Update security documentation.

Location:
main/waeup.kofa/trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • main/waeup.kofa/trunk/docs/source/userdocs/security.rst

    r12844 r12847  
    1313===========
    1414
    15 The whole set of permissions and roles are described in the :py:mod:`Permissions and Roles Module<waeup.kofa.permissions>`. Here we describe only a subset of permission classes which are essential for the security settings configuration.
     15The whole set of permission and role classes are described in the :py:mod:`Permissions and Roles Module<waeup.kofa.permissions>`. Here we describe only a subset of permission classes which are essential for the security settings configuration.
    1616
    1717General Permissions
     
    130130Many global roles do only bundle one or two permissions. The objective behind is to share responsibilities and distribute tasks.
    131131
     132Global roles are being assigned via the user manage form page.
     133
    132134Global General Roles
    133135--------------------
     
    171173--------------------------------
    172174
     175Global Application Section Roles are assigned portal-wide (globally) but do actually only allocate permissions in the Application Section.
     176
    173177.. autoclass:: waeup.kofa.applicants.permissions.ApplicantRole()
    174178   :noindex:
     
    183187----------------------------
    184188
     189Global Student Section Roles are assigned portal-wide (globally) but do actually only allocate permissions in the Student Section.
     190
    185191.. autoclass:: waeup.kofa.students.permissions.StudentRole()
    186192   :noindex:
     
    201207   :noindex:
    202208
    203 Local Roles
    204 ===========
    205 
    206 Dynamic Roles
    207 =============
     209Local Roles and Dynamic Role Assignment
     210=======================================
     211
     212In contrast to global roles, which are assigned portal-wide, local role permissions are gained for a specific context.
     213
     214Some local roles serve a second purpose. At first glance it appears strange that some of these 'odd' roles do not give more permissions than the user already has due to other roles. Their real purpose is to delegate permissions to the students or application section. If a user has for example the LocalStudentsManager role described below at department level, s/he automatically gets the StudentsManager role for those students studying in this department. We call this a **dynamic role**. In contrast to static global or local roles, dynamic roles are not stored in the database, they are dynamically assigned.
     215
     216Local roles are assigned either automatically by the system during user object setup or manually through the web interface. The automatically assigned local roles are:
     217
     218.. autoclass:: waeup.kofa.permissions.Owner()
     219   :noindex:
     220
     221.. autoclass:: waeup.kofa.applicants.permissions.ApplicationOwner()
     222   :noindex:
     223
     224.. autoclass:: waeup.kofa.students.permissions.StudentRecordOwner()
     225   :noindex:
     226
     227All other local roles must be assigned manually via context manage form pages.
     228
     229.. autoclass:: waeup.kofa.permissions.ApplicationManager()
     230   :noindex:
     231
     232.. autoclass:: waeup.kofa.permissions.DepartmentOfficer()
     233   :noindex:
     234
     235.. autoclass:: waeup.kofa.permissions.DepartmentManager()
     236   :noindex:
     237
     238.. autoclass:: waeup.kofa.permissions.Lecturer()
     239   :noindex:
     240
     241The following local roles do also delegate permissions to the student section. In other words, dynamic roles are assigned.
     242
     243.. autoclass:: waeup.kofa.permissions.ClearanceOfficer()
     244   :noindex:
     245
     246.. autoclass:: waeup.kofa.permissions.LocalStudentsManager()
     247   :noindex:
     248
     249.. autoclass:: waeup.kofa.permissions.LocalWorkflowManager()
     250   :noindex:
     251
     252.. autoclass:: waeup.kofa.permissions.UGClearanceOfficer()
     253   :noindex:
     254
     255.. autoclass:: waeup.kofa.permissions.PGClearanceOfficer()
     256   :noindex:
     257
     258.. autoclass:: waeup.kofa.permissions.CourseAdviser100()
     259   :noindex:
  • main/waeup.kofa/trunk/src/waeup/kofa/applicants/permissions.py

    r10226 r12847  
    2424
    2525class HandleApplication(grok.Permission):
     26    """The HandleApplication permission is reserved for applicants.
     27    Applicants 'handle' their data. Officers 'manage' the data.
     28    """
    2629    grok.name('waeup.handleApplication')
    2730
    2831class ViewApplication(grok.Permission):
     32    """The ViewApplication permission allows to view application records.
     33    """
    2934    grok.name('waeup.viewApplication')
    3035
     
    3641
    3742class ManageApplication(grok.Permission):
     43    """The ManageApplication permission allows to edit the data. This
     44    permission is reserved for officers and portal managers.
     45    """
    3846    grok.name('waeup.manageApplication')
    3947
    4048class ViewApplicationStatistics(grok.Permission):
     49    """The ViewApplicationStatistics permission allows to perform statistical
     50    evaluations. Only portal managers have this permission.
     51    """
    4152    grok.name('waeup.viewApplicationStatistics')
    4253
    4354class PayApplicant(grok.Permission):
     55    """The PayApplicant permission allows to add an online payment ticket.
     56    """
    4457    grok.name('waeup.payApplicant')
    4558
    4659# Local role
     60
    4761class ApplicationOwner(grok.Role):
     62    """An applicant 'owns' her/his application record and
     63    gains permissions to handle the record, upload a passport picture or
     64    add payment tickets.
     65    """
    4866    grok.name('waeup.local.ApplicationOwner')
    4967    grok.title(u'Application Owner')
    50     grok.permissions('waeup.handleApplication', 'waeup.viewApplication',
     68    grok.permissions('waeup.handleApplication',
     69                     'waeup.viewApplication',
    5170                     'waeup.payApplicant')
    5271
    53 # Site role
     72# Site roles
    5473
    5574class ApplicantRole(grok.Role):
     75    """This role is dedicated to applicants only. It defines the permissions
     76    an applicant gains portal-wide.
     77    """
    5678    grok.name('waeup.Applicant')
    5779    grok.permissions('waeup.viewAcademics', 'waeup.viewMyApplicationDataTab',
     
    5981
    6082class ApplicationsOfficer(grok.Role):
     83    """The Applications Officer is allowed to view all application records.
     84    """
    6185    grok.name('waeup.ApplicationsOfficer')
    6286    grok.title(u'Applications Officer (view only)')
     
    6488
    6589class ApplicationsManager(grok.Role):
     90    """The Applications Officer is allowed to edit all application records.
     91    The role allows also to add payment tickets.
     92    """
    6693    grok.name('waeup.ApplicationsManager')
    6794    grok.title(u'Applications Manager')
  • main/waeup.kofa/trunk/src/waeup/kofa/permissions.py

    r12844 r12847  
    115115    """The ManageDataCenter permission allows to access all pages
    116116    in the Data Center and to upload files. It does not automatically
    117     allow to process uploaded data.
     117    allow to process uploaded data files.
    118118    """
    119119    grok.name('waeup.manageDataCenter')
     
    121121class ImportData(grok.Permission):
    122122    """The ImportData permission allows to batch process (import) any kind of
    123     portal data except for user data. This User Data processor
     123    portal data except for user data. The User Data processor
    124124    requires also the ManageUsers permission.
    125125    """
     
    164164
    165165# Local Roles
     166
    166167class ApplicationsManager(grok.Role):
    167     """
     168    """The local ApplicationsManager role can be assigned at department level.
     169    Local Applications Managers do not gain further permissions. This role is
     170    meant for the assignment of dynamic roles only, see below.
    168171    """
    169172    grok.name('waeup.local.ApplicationsManager')
     
    172175
    173176class DepartmentManager(grok.Role):
    174     """
     177    """The local DepartmentManager role can be assigned at faculty or
     178    department level. The role allows to edit all data within this container.
     179    It does not automatically allow to remove sub-containers.
     180
     181    Department Managers (Dean of Faculty or Head of Department respectively)
     182    can also list student data but not access student pages.
    175183    """
    176184    grok.name('waeup.local.DepartmentManager')
     
    181189
    182190class DepartmentOfficer(grok.Role):
    183     """
     191    """The local DepartmentOfficer role can be assigned at faculty or
     192    department level. The role allows to list all student data within the
     193    faculty/department the local role is assigned.
     194
     195    Department Managers (Dean of Faculty or Head of Department respectively)
     196    can also list student data but not access student pages. They can
     197    furthermore export payment overviews.
    184198    """
    185199    grok.name('waeup.local.DepartmentOfficer')
     
    190204
    191205class ClearanceOfficer(grok.Role):
    192     """The clearance officer role is meant for the
    193     assignment of dynamic roles only.
     206    """The local ClearanceOfficer role can be assigned at faculty or
     207    department level. The role allows to list or export all student
     208    data within the faculty/department the local role is assigned.
     209
     210    Clearance Officers can furthermore clear all students or reject clearance
     211    of all students in their faculty/department. They get the
     212    StudentsClearanceOfficer role for this subset of students.
    194213    """
    195214    grok.name('waeup.local.ClearanceOfficer')
     
    201220
    202221class LocalStudentsManager(grok.Role):
    203     """The local students manager role is meant for the
    204     assignment of dynamic roles only.
     222    """The local LocalStudentsManager role can be assigned at faculty or
     223    department level. The role allows to view all data and to view or export
     224    all student data within the faculty/department the local role is assigned.
     225
     226    Local Students Managers can furthermore manage data of students
     227    in their faculty/department. They get the StudentsManager role for
     228    this subset of students.
    205229    """
    206230    grok.name('waeup.local.LocalStudentsManager')
     
    211235
    212236class LocalWorkflowManager(grok.Role):
    213     """The local workflow manager role is meant for the
    214     assignment of dynamic roles only.
     237    """The local LocalWorkflowManager role can be assigned at faculty level.
     238    The role allows to view all data and to list or export
     239    all student data within the faculty the local role is assigned.
     240
     241    Local Workflow Managers can trigger transition of students in their
     242    faculty/department. They get the WorkflowManager role for
     243    this subset of students.
    215244    """
    216245    grok.name('waeup.local.LocalWorkflowManager')
     
    221250
    222251class UGClearanceOfficer(grok.Role):
    223     """The clearance officer role is meant for the
    224     assignment of dynamic roles only.
     252    """UG Clearance Officers are regular Clearance Officers with restricted
     253    dynamic permission assignment. They can only access undergraduate
     254    students.
    225255    """
    226256    grok.name('waeup.local.UGClearanceOfficer')
     
    232262
    233263class PGClearanceOfficer(grok.Role):
    234     """The clearance officer role is meant for the
    235     assignment of dynamic roles only.
     264    """PG Clearance Officers are regular Clearance Officers with restricted
     265    dynamic permission assignment. They can only access postgraduate
     266    students.
    236267    """
    237268    grok.name('waeup.local.PGClearanceOfficer')
     
    243274
    244275class CourseAdviser100(grok.Role):
    245     """The 100 level course adviser role is meant for the
    246     assignment of dynamic roles only.
     276    """The local CourseAdviser100 role can be assigned at faculty,
     277    department or certificate level. The role allows to view all data and
     278    to list or export all student data within the faculty, department
     279    or certificate the local role is assigned.
     280
     281    Local Course Advisers can validate or reject course lists of students
     282    in ther faculty/department/certificate at level 100.
     283    They get the StudentsCourseAdviser role for this subset of students.
    247284    """
    248285    grok.name('waeup.local.CourseAdviser100')
     
    253290
    254291class CourseAdviser200(grok.Role):
    255     """The course 200 level adviser role is meant for the
    256     assignment of dynamic roles only.
     292    """Same as CourseAdviser100 but for level 200.
    257293    """
    258294    grok.name('waeup.local.CourseAdviser200')
     
    263299
    264300class CourseAdviser300(grok.Role):
    265     """The 300 level course adviser role is meant for the
    266     assignment of dynamic roles only.
     301    """Same as CourseAdviser100 but for level 300.
    267302    """
    268303    grok.name('waeup.local.CourseAdviser300')
     
    273308
    274309class CourseAdviser400(grok.Role):
    275     """The 400 level course adviser role is meant for the
    276     assignment of dynamic roles only.
     310    """Same as CourseAdviser100 but for level 400.
    277311    """
    278312    grok.name('waeup.local.CourseAdviser400')
     
    283317
    284318class CourseAdviser500(grok.Role):
    285     """The 500 level course adviser role is meant for the
    286     assignment of dynamic roles only.
     319    """Same as CourseAdviser100 but for level 500.
    287320    """
    288321    grok.name('waeup.local.CourseAdviser500')
     
    293326
    294327class CourseAdviser600(grok.Role):
    295     """The 600 level course adviser role is meant for the
    296     assignment of dynamic roles only.
     328    """Same as CourseAdviser100 but for level 600.
    297329    """
    298330    grok.name('waeup.local.CourseAdviser600')
     
    303335
    304336class CourseAdviser700(grok.Role):
    305     """The 700 level course adviser role is meant for the
    306     assignment of dynamic roles only.
     337    """Same as CourseAdviser100 but for level 700.
    307338    """
    308339    grok.name('waeup.local.CourseAdviser700')
     
    313344
    314345class CourseAdviser800(grok.Role):
    315     """The 800 level course adviser role is meant for the
    316     assignment of dynamic roles only.
     346    """Same as CourseAdviser100 but for level 800.
    317347    """
    318348    grok.name('waeup.local.CourseAdviser800')
     
    323353
    324354class Lecturer(grok.Role):
    325     """The lecturer role is meant for the
    326     assignment of dynamic roles only.
     355    """The local Lecturer role can be assigned at course level.
     356    The role allows to view all data and to list or export all student
     357    ata within course the local role is assigned. Lecturers can't access
     358    student data directly but they can edit the scores in course tickets.
    327359    """
    328360    grok.name('waeup.local.Lecturer')
     
    334366
    335367class Owner(grok.Role):
     368    """Each user 'owns' her/his user object and gains permission to edit
     369    some of the user attributes.
     370    """
    336371    grok.name('waeup.local.Owner')
    337372    grok.title(u'Owner')
     
    339374
    340375# Site Roles
     376
    341377class AcademicsOfficer(grok.Role):
    342378    """An Academics Officer can view but not edit data in the
     
    364400class ACManager(grok.Role):
    365401    """This is the role for Access Code Managers.
    366     An ACManager can view and manage the Accesscodes Section, see
     402    An AC Manager can view and manage the Accesscodes Section, see
    367403    ManageACBatches permission above.
    368404    """
     
    374410    """This single-permission role is dedicated to those users
    375411    who are charged with batch processing of portal data.
    376     A DataCenterManager manager can access all pages in the Data Center,
     412    A Data Center Manager can access all pages in the Data Center,
    377413    see ManageDataCenter permission above.
    378414    """
     
    382418
    383419class ImportManager(grok.Role):
    384     """An ImportManager is a DataCenterManager who is also allowed
     420    """An Import Manager is a Data Center Manager who is also allowed
    385421    to batch process (import) data. All batch processors (importers) are
    386422    available except for the User Processor. This processor requires the
    387     UsersManager role too. The ImportManager role includes the
     423    Users Manager role too. The ImportManager role includes the
    388424    DataCenterManager role but not vice versa.
    389425    """
     
    394430
    395431class ExportManager(grok.Role):
    396     """An ExportManager is a DataCenterManager who is also allowed
     432    """An Export Manager is a Data Center Manager who is also allowed
    397433    to export all kind of portal data. The ExportManager role includes the
    398434    DataCenterManager role but not vice versa.
     
    404440
    405441class BursaryOfficer(grok.Role):
    406     """BursaryOfficers can export bursary data. They can't access the
     442    """Bursary Officers can export bursary data. They can't access the
    407443    Data Center but see student data export buttons in the Academic Section.
    408444    """
     
    414450
    415451class UsersManager(grok.Role):
    416     """A UsersManager can add, remove or edit
     452    """A Users Manager can add, remove or edit
    417453    user accounts, see ManageUsers permission for further information.
    418454    Be very careful with this role.
     
    424460
    425461class WorkflowManager(grok.Role):
    426     """The WorkflowManager can trigger workflow transitions
     462    """The Workflow Manager can trigger workflow transitions
    427463    of student and document objects, see TriggerTransition permission
    428464    for further information.
     
    433469
    434470class PortalManager(grok.Role):
    435     """The portal manager role is the maximum set of Kofa permissions
     471    """The PortalManager role is the maximum set of Kofa permissions
    436472    which are needed to manage the entire portal. This set must not
    437473    be customized. It is recommended to assign this role only
  • main/waeup.kofa/trunk/src/waeup/kofa/students/permissions.py

    r12843 r12847  
    2424
    2525class HandleStudent(grok.Permission):
     26    """
     27    The HandleStudent permission is reserved for students.
     28    Students 'handle' their data. Officers 'manage' the data.
     29    """
    2630    grok.name('waeup.handleStudent')
    2731
    2832class ViewStudent(grok.Permission):
     33    """
     34    The ViewStudent permission allows to view all student data.
     35    """
    2936    grok.name('waeup.viewStudent')
    3037
     
    3340
    3441class ViewStudentsContainer(grok.Permission):
     42    """The ViewStudentsContainer permission allows to view the students root
     43    container page.
     44    """
    3545    grok.name('waeup.viewStudentsContainer')
    3646
    3747class PayStudent(grok.Permission):
     48    """The PayStudent permission allows to add an online payment ticket and to
     49    manage tickets.
     50    """
    3851    grok.name('waeup.payStudent')
    3952
    4053class HandleAccommodation(grok.Permission):
     54    """The HandleAccommodation allows to manage bed tickets.
     55    """
    4156    grok.name('waeup.handleAccommodation')
    4257
    4358class UploadStudentFile(grok.Permission):
     59    """The UploadStudentFile permissions allows to upload the passport picture.
     60    The respective page additionally checks the state of the student.
     61    """
    4462    grok.name('waeup.uploadStudentFile')
    4563
    4664class ManageStudent(grok.Permission):
     65    """The ManageStudent permission allows to edit the data.
     66    This permission is meant for clearance officers.
     67    """
    4768    grok.name('waeup.manageStudent')
    4869
    4970class ClearStudent(grok.Permission):
     71    """The ClearStudent permission is needed to clear students
     72    or to reject clearance. This permission is meant for course advisers.
     73    """
    5074    grok.name('waeup.clearStudent')
    5175
    5276class ValidateStudent(grok.Permission):
     77    """The ValidateStudent permission is needed to validate or reject
     78    course lists. This permission is not needed if users
     79    already have the TriggerTransition permission.
     80    """
    5381    grok.name('waeup.validateStudent')
    5482
    5583class EditStudyLevel(grok.Permission):
     84    """The EditStudyLevel permission is needed for editing course lists.
     85    Students and course advisers do have this permission.
     86    """
    5687    grok.name('waeup.editStudyLevel')
    5788
    5889class LoginAsStudent(grok.Permission):
     90    """The LoginAsStudent is needed to set temporary student passwords
     91    and login as (impersonate) students.
     92    """
    5993    grok.name('waeup.loginAsStudent')
    6094
    6195# Local role
    6296class StudentRecordOwner(grok.Role):
     97    """A student 'owns' her/his student object and subobjects and
     98    gains permissions to handle all data, upload a passport picture,
     99    add payment tickets, create and edit course lists and handle accommodation.
     100    """
    63101    grok.name('waeup.local.StudentRecordOwner')
    64102    grok.title(u'Student Record Owner')
     
    72110# Site Roles
    73111class StudentRole(grok.Role):
     112    """This role is dedicated to students only.
     113    It defines the permissions a student gains portal-wide.
     114    """
    74115    grok.name('waeup.Student')
    75116    grok.title(u'Student (do not assign)')
     
    79120
    80121class StudentsOfficer(grok.Role):
     122    """The Students Officer is allowed to view all student data.
     123    """
    81124    grok.name('waeup.StudentsOfficer')
    82125    grok.title(u'Students Officer (view only)')
     
    85128
    86129class StudentsManager(grok.Role):
     130    """The Students Officer is allowed to edit all student data, to
     131    create payment tickets, to handle bed tickets and to upload passport
     132    pictures.
     133    """
    87134    grok.name('waeup.StudentsManager')
    88135    grok.title(u'Students Manager')
     
    104151
    105152class StudentsClearanceOfficer(grok.Role):
     153    """The global StudentsClearanceOfficer role enables users to view all
     154    student data, to clear students and to reject clearance portal-wide.
     155    Usually, this role is not assigned manually.
     156    We are using the correspondent local role instead which assigns the
     157    StudentsClearanceOfficer role dynamically.
     158    """
    106159    grok.name('waeup.StudentsClearanceOfficer')
    107160    grok.title(u'Clearance Officer (all students)')
     
    110163
    111164class StudentsCourseAdviser(grok.Role):
     165    """The global StudentsCourseAdviser role enables users to view all
     166    student data, to edit, validate or reject course lists  portal-wide.
     167    Usually, this role is not assigned manually.
     168    We are using the correspondent local role instead which assigns the
     169    StudentsCourseAdviser role dynamically.
     170    """
    112171    grok.name('waeup.StudentsCourseAdviser')
    113172    grok.title(u'Course Adviser (all students)')
     
    117176
    118177class StudentImpersonator(grok.Role):
     178    """The Student Impersonator gains the LoginAsStudent permission,
     179    nothing else, see description above.
     180    """
    119181    grok.name('waeup.StudentImpersonator')
    120182    grok.title(u'Student Impersonator')
  • main/waeup.kofa/trunk/src/waeup/kofa/students/tests/test_browser.py

    r12632 r12847  
    688688        self.assertEqual(self.browser.headers['Content-Type'],
    689689                         'application/pdf')
     690        # We want to see the signature fields.
     691        IWorkflowState(self.student).setState('cleared')
     692        self.browser.open(self.student_path + '/clearance_slip.pdf')
     693        self.assertEqual(self.browser.headers['Status'], '200 Ok')
     694        self.assertEqual(self.browser.headers['Content-Type'],
     695                         'application/pdf')
     696        path = os.path.join(samples_dir(), 'clearance_slip.pdf')
     697        open(path, 'wb').write(self.browser.contents)
     698        print "Sample PDF clearance_slip.pdf written to %s" % path
    690699
    691700    def test_manage_course_lists(self):
Note: See TracChangeset for help on using the changeset viewer.