[Building Sakai] Effecting permissions when using role switcher
Stephen Marquard
stephen.marquard at uct.ac.za
Thu Dec 1 00:23:48 PST 2011
Hi David,
Basically you shouldn't grant access based on hard-coded role names,
you should do so based on permissions.
Role names can change across deployments. For example at UCT we have a
Participant role in our project sites, not "access", and "Site owner"
rather than "maintain".
If you really need something role-based like to differentiate between
tutors and students, you should use the "marker" permissions such as
section.role.ta.
And if you really need to know if the user is "being" another role, you
can call SecurityService.getUserEffectiveRole to find out if they are
viewing the site in a role different to their regular role. But in
general tools should not do that unless there are exceptional reasons to
do so.
Regards
Stephen
Stephen Marquard, Acting Director
Centre for Educational Technology, University of Cape Town
http://www.cet.uct.ac.za
Email/IM/XMPP: stephen.marquard at uct.ac.za
Phone: +27-21-650-5037 Cell: +27-83-500-5290
>>> David Wafula <davidwaf at gmail.com> 12/1/2011 10:03 AM >>>
Hi all,
Am using the following code to implement access to various resources
based
on roles. If am logged in as student, it works accordingly. If am
logged in
as instructor, works accordingly. BUT, if am logged in as instructor
and i
use role-switch, say to "View as Student", the role does'nt change, it
still sticks to instructor permissions. Anything i could be missing ?
Here
is the code:
public boolean checkPermissions(String authzGroupName, String
functionName) {
try {
//Get current site
String currentSiteId =
toolManager.getCurrentPlacement().getContext();
Site site = siteService.getSite(currentSiteId);
//Get role of current user
User currentUser = userDirectoryService.getCurrentUser();
Role currentUserRole =
site.getUserRole(currentUser.getId());
String userRoleId = currentUserRole.getId();
//Check if users are registered with these roles. If so,
convert
boolean checkMaintain =
userRoleId.equalsIgnoreCase("maintain");
boolean checkAdmin = userRoleId.equalsIgnoreCase("admin");
boolean checkAccess =
userRoleId.equalsIgnoreCase("access");
boolean checkRegistered =
userRoleId.equalsIgnoreCase("registered");
if (checkMaintain || checkAdmin || checkRegistered) {
userRoleId = "Instructor";
} else if (checkAccess) {
userRoleId = "Student";
}
AuthzGroup ag =
authzGroupService.getAuthzGroup(authzGroupName);
//Get roles
Role role = ag.getRole(userRoleId);
if (role == null) {
return false;
}
//Flag for setting if user has permissions
boolean hasPerms = false;
hasPerms = role.isAllowed(functionName);
return hasPerms;
} catch (Exception ex) {
LOG.warn("Error with StartHere.checkPermissions()", ex);
}
return false;
}
--
David Wafula
###
UNIVERSITY OF CAPE TOWN
This e-mail is subject to the UCT ICT policies and e-mail disclaimer
published on our website at
http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable from
+27 21 650 9111. This e-mail is intended only for the person(s) to whom
it is addressed. If the e-mail has reached you in error, please notify
the author. If you are not the intended recipient of the e-mail you may
not use, disclose, copy, redirect or print the content. If this e-mail
is not related to the business of UCT it is sent by the sender in the
sender's individual capacity.
###
More information about the sakai-dev
mailing list