[Deploying Sakai] create limited admin workspace, limit admin functionality
Gonzalo Silverio
gsilver at umich.edu
Mon May 26 10:48:22 PDT 2014
If I remember correctly the script (after checking via Entity Broker that
user has the admin lite role) hides all the tools and then shows only the
ones that that role can see. Take a look at that script and make sure that
all the conditions are being fulfilled.
Also, the script had to be modified between 2.8 and 2.9 because the portal
dom changed.
All else failing I'd be happy to take a look if it is in a public server.
Gonzalo
On Monday, May 26, 2014, Kurosch Petzold <kurosch.petzold at fu-berlin.de>
wrote:
> Added both scripts and it works for full admin now functionality wise. But
> the adminlite account has no tools at all in the workspace now.
>
> Best Regards
> Kurosch
> > Did you also add a site property to the Administration Workspace:
> >
> > sakai:includeHtml: (contents of the script attached to the Jira). This
> > is intended to hide the buttons that admin lite is not supposed to see.
> > Not .ideal, but all that the permission grain would allow.
> >
> > Gonzalo
> >
> > On Monday, May 26, 2014, Matthew Jones <matthew at longsight.com> wrote:
> >
> >> Which version did you use? It looks like that issue was only fixed in
> >> the
> >> trunk version.
> >>
> >> https://jira.sakaiproject.org/browse/ADMX-12
> >>
> >> https://source.sakaiproject.org/contrib/umich/adminlite/trunk/
> >>
> >>
> >> On Mon, May 26, 2014 at 5:24 AM, Kurosch Petzold <
> >> kurosch.petzold at fu-berlin.de> wrote:
> >>
> >> Hey,
> >>
> >> thanks for your replies, both seem to be awesome tools.
> >>
> >> SakaiAdminX is not supported anymore so I would rather get adminlite up
> >> and running.
> >> I said would as it does not seem to work correctly. I set it up like
> >> described in the readme. Changed every pom.xml entry to sakai 2.9.3 and
> >> deployed it just fine.
> >>
> >> However the adminlite user still can use all tools and adminlite does
> >> not
> >> work and gives the following error to catalina.out on pressing any
> >> button
> >> of the tool:
> >>
> >> 2014-05-26 11:19:10,122 WARN http-bio-8080-exec-8
> >> org.sakaiproject.cheftool.VelocityPortletPaneledAction - CSRF Token
> >> mismatched or missing on velocity action: doSite; toolId=sakai.adminlite
> >>
> >>
> >> Best regards,
> >>
> >> Kurosch
> >>
> >>
> >>
> >> > Cool, I'd forgotten about about admin lite. Looks like what it
> >> provides
> >> is
> >> > completely reworked sites and realms tools that are more restrictive.
> >> The
> >> > problem with the tools in the admin workspace is that they check for
> >> the
> >> > specific "SecurityService.isSuperUser" permission because they don't
> >> > restrict, for instance, an non admin from being able to add themselves
> >> to
> >> > admin workspace. (Thus becoming admin)
> >> >
> >> > There were some other tools like SakaiAdminX (
> >> > https://confluence.sakaiproject.org/display/ADMX/Home) which still
> >> might
> >> > work, and used webservices rather than internal api's to allow
> >> creation
> >> > and
> >> > modification of site and other information. Using something like this
> >> or
> >> > REST (/direct) API's, for a new or modified sites tool (adminlite)
> >> does
> >> > seem like a way to go.
> >> >
> >> > For general permission elevation in other course sites, generally
> >> > delegated
> >> > access is used, but I don't think this would work for the tools that
> >> have
> >> > explicit isSuperUser checks.
> >> >
> >> >
> >> > On Sat, May 24, 2014 at 11:12 AM, Kurosch Petzold <
> >> > kurosch.petzold at fu-berlin.de> wrote:
> >> >
> >> >> Hello,
> >> >>
> >> >> is there a way to create limited permission admin roles or create a
> >> >> second
> >> >> admin workspace with limited number of tools.
> >> >> If neither of them works, could anyone who has/had this problem at
> >> their
> >> >> institution/university/company explain to me how they solved it (if
> >> >> there
> >> >> is a solution to it at all).
> >> >>
> >> >> Or to get more to the fact of the actual problem is there a way to
> >> use
> >> >> sakai.sites without su?
> >> >>
> >> >> Best regards,
> >> >> Kurosch Petzold
> >> >>
>
--
- Gonzalo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/production/attachments/20140526/202e193d/attachment.html
More information about the production
mailing list