blob: dd475b659c5b54c1211012d1826136dc71b5ee07 (
about) (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
# Permission Hooks System Design
## Status: Draft
## Objective
We want to achieve:
- Default permissions for users that come from `.edu` domains.
- Support for visitors to the website.
This should be dynamic and easily maintenable.
## Design
### Events
* Use middleware to plug into the various aspects of a requests life cycle. We'll plug into `after_request` for providing default permissions.
* Create a hook which contains: the event to handle, what part of the life cycle the hook plugs into and the actual functions to call,
* Events can be identified using their `request.base_url` parameter.
* Each hook registers itself to the global set of hooks (TODO: Figure out how to automatically handle the registration).
```
@app.after_request
def handle_hooks():
for hook in hooks:
if hook.lifecycle == "after_request" and hook.can_handle():
hook.run()
Hooks = [RegistrationHook, ...]
class RegistrationHook:
def can_handle(self):
request.base_url == "register"
def lifecyle:
return "after_request"
def run(self):
...
```
### Privilege Hooks
* After login/registration, use the email to get extra privileges assigned to a user. We use `login` too to ensure that all users have the most up-to-date roles and privileges.
* This means that any user gets assigned these privileges and normal workflows can happen.
### Storage
* Create a new role that contains the default privileges we want to assign to users depending on their domain.
* This role will link up with the privileges to be assigned to said user.
* Example privileges we may want to add to users in the `.edu` domain:
* group:resource:edit-resource
* system:inbreadset:apply-case-attribute-edit
* system:inbreadset:edit-case-attribute
* system:inbreadset:view-case-attribute
* Create an extra table that provides a link between some `email identifier` and the role we'd like to pre-assign. We can use python regex for the email identifier e.g. `*.edu$` or `*.utsch.edu`.
* This will be the table used by the Registration Hook.
* This also allows us to edit roles/privileges without code releases.
|
