[Building Sakai] Effecting permissions when using role switcher

David Wafula davidwaf at gmail.com
Thu Dec 1 00:50:15 PST 2011 

Thanks Stephen. I will certainly remove the hardcoded roles once i get
things working smooth. Am afraid SecurityService.getUserEffectiveRole is
always giving me null:

public final static String GROUP_TEMPLATE_COURSE = "!group.template.course";
AuthzGroup ag = authzGroupService.getAuthzGroup(GROUP_TEMPLATE_COURSE);
System.out.println("Effective user role
"+securityService.getUserEffectiveRole(ag.getId()));


Am i doing this right ?

Regards.


On Thu, Dec 1, 2011 at 10:23 AM, Stephen Marquard <
stephen.marquard at uct.ac.za> wrote:

> Hi David,
>
> Basically you shouldn't grant access based on hard-coded role names,
> you should do so based on permissions.
>
> Role names can change across deployments. For example at UCT we have a
> Participant role in our project sites, not "access", and "Site owner"
> rather than "maintain".
>
> If you really need something role-based like to differentiate between
> tutors and students, you should use the "marker" permissions such as
> section.role.ta.
>
> And if you really need to know if the user is "being" another role, you
> can call SecurityService.getUserEffectiveRole to find out if they are
> viewing the site in a role different to their regular role. But in
> general tools should not do that unless there are exceptional reasons to
> do so.
>
> Regards
> Stephen
>
> Stephen Marquard, Acting Director
> Centre for Educational Technology, University of Cape Town
> http://www.cet.uct.ac.za
> Email/IM/XMPP: stephen.marquard at uct.ac.za
> Phone: +27-21-650-5037 Cell: +27-83-500-5290
>
>
>
> >>> David Wafula <davidwaf at gmail.com> 12/1/2011 10:03 AM >>>
> Hi all,
> Am using the following code to implement access to various resources
> based
> on roles. If am logged in as student, it works accordingly. If am
> logged in
> as instructor, works accordingly. BUT, if am logged in as instructor
> and i
> use role-switch, say to "View as Student", the role does'nt change, it
> still sticks to instructor permissions. Anything i could be missing ?
> Here
> is the code:
>
>    public boolean checkPermissions(String authzGroupName, String
> functionName) {
>        try {
>
>            //Get current site
>            String currentSiteId =
> toolManager.getCurrentPlacement().getContext();
>            Site site = siteService.getSite(currentSiteId);
>
>            //Get role of current user
>            User currentUser = userDirectoryService.getCurrentUser();
>            Role currentUserRole =
> site.getUserRole(currentUser.getId());
>            String userRoleId = currentUserRole.getId();
>
>            //Check if users are registered with these roles. If so,
> convert
>            boolean checkMaintain =
> userRoleId.equalsIgnoreCase("maintain");
>            boolean checkAdmin = userRoleId.equalsIgnoreCase("admin");
>            boolean checkAccess =
> userRoleId.equalsIgnoreCase("access");
>            boolean checkRegistered =
> userRoleId.equalsIgnoreCase("registered");
>
>            if (checkMaintain || checkAdmin || checkRegistered) {
>                userRoleId = "Instructor";
>
>            } else if (checkAccess) {
>                userRoleId = "Student";
>
>            }
>
>            AuthzGroup ag =
> authzGroupService.getAuthzGroup(authzGroupName);
>
>            //Get roles
>            Role role = ag.getRole(userRoleId);
>
>
>            if (role == null) {
>                return false;
>            }
>
>            //Flag for setting if user has permissions
>            boolean hasPerms = false;
>
>            hasPerms = role.isAllowed(functionName);
>
>            return hasPerms;
>        } catch (Exception ex) {
>            LOG.warn("Error with StartHere.checkPermissions()", ex);
>        }
>        return false;
>    }
>
> --
> David Wafula
>
>
>
>
> ###
>
> UNIVERSITY OF CAPE TOWN
>
> This e-mail is subject to the UCT ICT policies and e-mail disclaimer
> published on our website at
> http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable from
> +27 21 650 9111. This e-mail is intended only for the person(s) to whom
> it is addressed. If the e-mail has reached you in error, please notify
> the author. If you are not the intended recipient of the e-mail you may
> not use, disclose, copy, redirect or print the content. If this e-mail
> is not related to the business of UCT it is sent by the sender in the
> sender's individual capacity.
>
> ###
>
>


-- 
David Wafula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20111201/dcb7096c/attachment.html

More information about the sakai-dev mailing list