[Building Sakai] Effecting permissions when using role switcher
Stephen Marquard
stephen.marquard at uct.ac.za
Thu Dec 1 00:59:13 PST 2011
As per the javadoc (although the javadocs could probably be more
explicit), it will give you null if the user is not viewing the site in
a different role.
/**
* Get the current user's effective role in this authz group
for security lookups in this session.
*
* @param azGroupId
* The authz group id
* @return The user's effective role if set, otherwise null
*/
String getUserEffectiveRole(String azGroupId);
It's used for example by the portal to decide whether to show the "View
as" prompt or the "exit view as" link.
Also you would need to pass a real site id - it would be meaningless to
set the "view as" role in a template authzgroup like
!group.template.course.
Cheers
Stephen
Stephen Marquard, Acting Director
Centre for Educational Technology, University of Cape Town
http://www.cet.uct.ac.za
Email/IM/XMPP: stephen.marquard at uct.ac.za
Phone: +27-21-650-5037 Cell: +27-83-500-5290
>>> David Wafula <davidwaf at gmail.com> 12/1/2011 10:50 AM >>>
Thanks Stephen. I will certainly remove the hardcoded roles once i get
things working smooth. Am afraid SecurityService.getUserEffectiveRole
is
always giving me null:
public final static String GROUP_TEMPLATE_COURSE =
"!group.template.course";
AuthzGroup ag =
authzGroupService.getAuthzGroup(GROUP_TEMPLATE_COURSE);
System.out.println("Effective user role
"+securityService.getUserEffectiveRole(ag.getId()));
Am i doing this right ?
Regards.
On Thu, Dec 1, 2011 at 10:23 AM, Stephen Marquard <
stephen.marquard at uct.ac.za> wrote:
> Hi David,
>
> Basically you shouldn't grant access based on hard-coded role names,
> you should do so based on permissions.
>
> Role names can change across deployments. For example at UCT we have
a
> Participant role in our project sites, not "access", and "Site
owner"
> rather than "maintain".
>
> If you really need something role-based like to differentiate
between
> tutors and students, you should use the "marker" permissions such as
> section.role.ta.
>
> And if you really need to know if the user is "being" another role,
you
> can call SecurityService.getUserEffectiveRole to find out if they
are
> viewing the site in a role different to their regular role. But in
> general tools should not do that unless there are exceptional reasons
to
> do so.
>
> Regards
> Stephen
>
> Stephen Marquard, Acting Director
> Centre for Educational Technology, University of Cape Town
> http://www.cet.uct.ac.za
> Email/IM/XMPP: stephen.marquard at uct.ac.za
> Phone: +27-21-650-5037 Cell: +27-83-500-5290
>
>
>
> >>> David Wafula <davidwaf at gmail.com> 12/1/2011 10:03 AM >>>
> Hi all,
> Am using the following code to implement access to various resources
> based
> on roles. If am logged in as student, it works accordingly. If am
> logged in
> as instructor, works accordingly. BUT, if am logged in as instructor
> and i
> use role-switch, say to "View as Student", the role does'nt change,
it
> still sticks to instructor permissions. Anything i could be missing
?
> Here
> is the code:
>
> public boolean checkPermissions(String authzGroupName, String
> functionName) {
> try {
>
> //Get current site
> String currentSiteId =
> toolManager.getCurrentPlacement().getContext();
> Site site = siteService.getSite(currentSiteId);
>
> //Get role of current user
> User currentUser = userDirectoryService.getCurrentUser();
> Role currentUserRole =
> site.getUserRole(currentUser.getId());
> String userRoleId = currentUserRole.getId();
>
> //Check if users are registered with these roles. If so,
> convert
> boolean checkMaintain =
> userRoleId.equalsIgnoreCase("maintain");
> boolean checkAdmin =
userRoleId.equalsIgnoreCase("admin");
> boolean checkAccess =
> userRoleId.equalsIgnoreCase("access");
> boolean checkRegistered =
> userRoleId.equalsIgnoreCase("registered");
>
> if (checkMaintain || checkAdmin || checkRegistered) {
> userRoleId = "Instructor";
>
> } else if (checkAccess) {
> userRoleId = "Student";
>
> }
>
> AuthzGroup ag =
> authzGroupService.getAuthzGroup(authzGroupName);
>
> //Get roles
> Role role = ag.getRole(userRoleId);
>
>
> if (role == null) {
> return false;
> }
>
> //Flag for setting if user has permissions
> boolean hasPerms = false;
>
> hasPerms = role.isAllowed(functionName);
>
> return hasPerms;
> } catch (Exception ex) {
> LOG.warn("Error with StartHere.checkPermissions()", ex);
> }
> return false;
> }
>
> --
> David Wafula
>
>
>
>
> ###
>
> UNIVERSITY OF CAPE TOWN
>
> This e-mail is subject to the UCT ICT policies and e-mail disclaimer
> published on our website at
> http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable
from
> +27 21 650 9111. This e-mail is intended only for the person(s) to
whom
> it is addressed. If the e-mail has reached you in error, please
notify
> the author. If you are not the intended recipient of the e-mail you
may
> not use, disclose, copy, redirect or print the content. If this
e-mail
> is not related to the business of UCT it is sent by the sender in
the
> sender's individual capacity.
>
> ###
>
>
--
David Wafula
###
UNIVERSITY OF CAPE TOWN
This e-mail is subject to the UCT ICT policies and e-mail disclaimer
published on our website at
http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable from
+27 21 650 9111. This e-mail is intended only for the person(s) to whom
it is addressed. If the e-mail has reached you in error, please notify
the author. If you are not the intended recipient of the e-mail you may
not use, disclose, copy, redirect or print the content. If this e-mail
is not related to the business of UCT it is sent by the sender in the
sender's individual capacity.
###
More information about the sakai-dev
mailing list