Skip to content

Authorization settings for admin #141

Description

@greeny

Features (in admin):

  • new icon ACL in menu
  • role tree (can be by datagrid):
    • parent role is before child role, child role is indented from parent role
    • name only in datagrid
  • create role form (name, parent role)
  • edit role form (name, parent role, allowed resources)
    • each resource is a checkbox (allowed / not allowed)
    • each resource is translated (you can make use of resource naming in style wall.XXX for translations)
    • under / near each checkbox there is smaller text saying e.g. "Allowed by parent role XXX" or "not inherited from parents" (check recursively), this should also change after change of "parent role" input
    • in some later versions, we will probably implement some grouping of resources (parent resource, etc.), but there is no need to do it now
  • edit role users form (role, users with this role)

Other stuff:

  • do not forget to invalidate cache for authorizator after each relevant change
  • default roles should not be deletable and editable (with exception to their permissions). Also keep in mind, that default roles should have translated names (as opposed to user-created roles, which do not have translated name)

New resources:

  • wall.acl.roles - you can access administration of roles, create new roles and modify their permissions, but only with those resources, you have access to. You can also assign roles to users, but only those roles you have (or parents of your roles) - default availability for wall.admin.
  • wall.acl.allResources - you can modify all permissions, even for resources you do not have access to - default availability: wall.owner
  • wall.acl.allRoles - you can assign all roles to users, not only the ones you have - default availability: wall.owner

REST API:

  • roles
    • GET - list of roles for current wall (also parent role id, if any)
    • POST - adds new role
  • roles/{id}
    • POST - updates a role
    • DELETE - deletes a role, if it had children, they will receive parent of currently deleted role, users with deleted role will lose that role
  • roles/{id}/users
    • GET - list of users in that role
    • POST - adds new user to that role (accepts id, returns whole user in same form as in GET)
  • roles/{roleId}/users/{userId}
    • DELETE - deletes user from role

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions