Versions Compared

Old Version 4

changes.mady.by.user David Johnson

Saved on

compared with

New Version Current

changes.mady.by.user David Johnson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Name

Externalize User and Permissions Management

StatusProposal under development

Implemented in trunk for 4.1

Target Release

Roller Weblogger 4.1

Issue

ROL-1534

Original Authors

Dave Johnson

Proposal to make it possible to externalize user and permissions management so that Roller can be easily customized to pull user profile and role permissions information from a separate user management an external system.

1.0 Abstract

For ease of installation and management, Roller is able to manage it's own users and permissions without relying on any external system other than its RDBMS. We definitely don't want to lose that ability, but as Roller moves into enterprise scenarios where Directory Servers rule and social networking scenarios where user profile information is key we need to make some changes. For Roller to be sucessful in large organizations and social networks, we need to make it easy to integrate Roller with existing user management and permissions systems. The way to do that is to externalize user and permissions management, or rather to make it externalizable.

...

  • Enable Roller to optionally read/write user profile information in an external system
  • Enable Roller to optionally read/write user role information in an external systemEnable Roller to optionally read/write user-weblog and permission information in an external system instead of it's relational database.
  • Increase the number of authentication/authorization options available in Roller by making it possible to configure Container Managed Authentication (CMA) and not only Acegi.

...

Code Block
public boolean hasWritePermissions(User user)

4.2.1 Problem

...

with managing permissions via ORM relationships

Permissions cannot be managed by external system because the User to Permissions to Weblog relationship is managed by the ORM, the information must be stored in Roller database tables and cannot be externalized and managed by another system.

...

Here are the new properties:

Code Block
role.names=anonymous,editor,admin
role.actions.anonymous=comment
role.actions.editor=login,comment,createWeblog
role.actions.admin=login,comment,createWeblog,admin

...

5.3 Add new UserManager methods

...

Here are the new methods to be added to UserManager:

Code Block

// Provide a way for the Roller front-end to check any type of permission for a user.

...

Code Block
public boolean checkPermission(RollerPermission perm, User user);

For example, if you want to check to see if a user has can post a weblog entry, you would do this:

Code Block

WeblogPermssion desiredPerm = new WeblogPermission(weblog, "post");
boolean allowed = userManager.checkPermssion(desiredPerm, user);

Roller will look up the WeblogPermission object for the specified user and weblog and will return true if the "post" action is in the permission's action list.

Next, we need to provide a way for the Roller front-end to grant and revoke roles because roles imply global permissions.

Code Block

public void grantRole(String roleName, User user);
public void revokeRole(String roleName, User user);

The Roller front-end also needs to be able to grant and revoke weblog permissions:

Code Block

public void grantWeblogPermission(WeblogPermission perm, 
// A way for the Roller front-end to grant and revoke roles because roles imply global permissions
public void grantRole(String roleName, User user);
public void revokeRole(String roleName, User user);

// The Roller front-end also needs to be able to grant and revoke weblog permissions
public void grantWeblogPermission(WeblogPermission perm, User user);
public void revokeWeblogPermission(WeblogPermssion perm, User user);

// and to display the roles and permissions associated with each user:
public List<String> getRoles(User user);
public List<WeblogPermission> getWeblogPermssions(User user);
public voidList<WeblogPermission> revokeWeblogPermission(WeblogPermssion perm, User usergetWeblogPermssions(Weblog weblog);

And finally, the front-end needs to be able to display the roles and permissions associated with each userFor example, if you want to check to see if a user has can post a weblog entry in a weblog, you would do this:

Code Block
publicWeblogPermssion List<String>desiredPerm getRoles(User user);
public List<WeblogPermission> getWeblogPermssions(User user);
public List<WeblogPermission> getWeblogPermssions(Weblog weblog);
= new WeblogPermission(weblog, WeblogPermission.POST);
boolean allowed = userManager.checkPermssion(desiredPerm, user);

Roller will look up the WeblogPermission object for the specified user and weblog and will return true if the "post" action is in the permission's action list.

5.4 Implementation of new UserManagement permissions methods

...