[Building Sakai] Effecting permissions when using role switcher
David Wafula
davidwaf at gmail.com
Thu Dec 1 00:50:15 PST 2011
Thanks Stephen. I will certainly remove the hardcoded roles once i get
things working smooth. Am afraid SecurityService.getUserEffectiveRole is
always giving me null:
public final static String GROUP_TEMPLATE_COURSE = "!group.template.course";
AuthzGroup ag = authzGroupService.getAuthzGroup(GROUP_TEMPLATE_COURSE);
System.out.println("Effective user role
"+securityService.getUserEffectiveRole(ag.getId()));
Am i doing this right ?
Regards.
On Thu, Dec 1, 2011 at 10:23 AM, Stephen Marquard <
stephen.marquard at uct.ac.za> wrote:
> Hi David,
>
> Basically you shouldn't grant access based on hard-coded role names,
> you should do so based on permissions.
>
> Role names can change across deployments. For example at UCT we have a
> Participant role in our project sites, not "access", and "Site owner"
> rather than "maintain".
>
> If you really need something role-based like to differentiate between
> tutors and students, you should use the "marker" permissions such as
> section.role.ta.
>
> And if you really need to know if the user is "being" another role, you
> can call SecurityService.getUserEffectiveRole to find out if they are
> viewing the site in a role different to their regular role. But in
> general tools should not do that unless there are exceptional reasons to
> do so.
>
> Regards
> Stephen
>
> Stephen Marquard, Acting Director
> Centre for Educational Technology, University of Cape Town
> http://www.cet.uct.ac.za
> Email/IM/XMPP: stephen.marquard at uct.ac.za
> Phone: +27-21-650-5037 Cell: +27-83-500-5290
>
>
>
> >>> David Wafula <davidwaf at gmail.com> 12/1/2011 10:03 AM >>>
> Hi all,
> Am using the following code to implement access to various resources
> based
> on roles. If am logged in as student, it works accordingly. If am
> logged in
> as instructor, works accordingly. BUT, if am logged in as instructor
> and i
> use role-switch, say to "View as Student", the role does'nt change, it
> still sticks to instructor permissions. Anything i could be missing ?
> Here
> is the code:
>
> public boolean checkPermissions(String authzGroupName, String
> functionName) {
> try {
>
> //Get current site
> String currentSiteId =
> toolManager.getCurrentPlacement().getContext();
> Site site = siteService.getSite(currentSiteId);
>
> //Get role of current user
> User currentUser = userDirectoryService.getCurrentUser();
> Role currentUserRole =
> site.getUserRole(currentUser.getId());
> String userRoleId = currentUserRole.getId();
>
> //Check if users are registered with these roles. If so,
> convert
> boolean checkMaintain =
> userRoleId.equalsIgnoreCase("maintain");
> boolean checkAdmin = userRoleId.equalsIgnoreCase("admin");
> boolean checkAccess =
> userRoleId.equalsIgnoreCase("access");
> boolean checkRegistered =
> userRoleId.equalsIgnoreCase("registered");
>
> if (checkMaintain || checkAdmin || checkRegistered) {
> userRoleId = "Instructor";
>
> } else if (checkAccess) {
> userRoleId = "Student";
>
> }
>
> AuthzGroup ag =
> authzGroupService.getAuthzGroup(authzGroupName);
>
> //Get roles
> Role role = ag.getRole(userRoleId);
>
>
> if (role == null) {
> return false;
> }
>
> //Flag for setting if user has permissions
> boolean hasPerms = false;
>
> hasPerms = role.isAllowed(functionName);
>
> return hasPerms;
> } catch (Exception ex) {
> LOG.warn("Error with StartHere.checkPermissions()", ex);
> }
> return false;
> }
>
> --
> David Wafula
>
>
>
>
> ###
>
> UNIVERSITY OF CAPE TOWN
>
> This e-mail is subject to the UCT ICT policies and e-mail disclaimer
> published on our website at
> http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable from
> +27 21 650 9111. This e-mail is intended only for the person(s) to whom
> it is addressed. If the e-mail has reached you in error, please notify
> the author. If you are not the intended recipient of the e-mail you may
> not use, disclose, copy, redirect or print the content. If this e-mail
> is not related to the business of UCT it is sent by the sender in the
> sender's individual capacity.
>
> ###
>
>
--
David Wafula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20111201/dcb7096c/attachment.html
More information about the sakai-dev
mailing list