search

TireSwingSoftware / openassign-server

OpenAssign server intended for use by a separate client via RPC
BSD 3-Clause "New" or "Revised" License
6 stars 2 forks source link

Separate check methods into suites #114

Closed jc0n closed 12 years ago

jc0n commented 12 years ago

Having all check methods in the authorizer is no doubt a case of the blob antipattern (See http://en.wikipedia.org/wiki/God_object) . Issue #39 will introduce at least 13 more check methods which will amplify this. I believe we can improve maintainability of the authorizer by separating the check methods into multiple files based on functionality.

I have compiled a list of all check methods and which roles use them. There are only 7 check methods used by more than 1 role.

I propose a breakdown into the following suites:

Note: (...) indicates which role(s) are currently using the method.

pr_services.authorizer.checks.auth

actor_is_anybody
actor_is_guest (Guest)
actor_is_authenticated (Authenticated User, User)

pr_services.authorizer.checks.membership

actor_member_of_group  (Admin, Instructor, Student),
actor_related_to_domain_affiliation (User),
actor_is_member_of_actee_related_category_authorized_groups
actor_is_manager_of_actee_related_category 
actor_is_group_manager (Group Manager),
actor_is_member_of_any_organization
actee_is_in_group_and_domain
actor_is_in_actee_which_is_an_organization
actor_is_in_actee_which_is_a_group (Authenticated User),

pr_services.authorizer.checks.membership.orgadmin

actor_org_admin_for_actee
actor_org_admin_for_assignment
actor_org_admin_for_credential
actor_org_admin_for_curriculum_task_assoc
actor_org_admin_for_task
actor_org_admin_for_enrollment
actor_org_admin_for_session
actor_org_admin_for_surr
actor_org_admin_for_user
actor_org_admin_for_userorgrole
actor_org_admin_for_exam_answer
actor_org_admin_for_exam_question
actor_org_admin_for_resource

pr_services.authorizer.checks.ownership

actor_owns_assignment_attempt (Exam Taker, File Downloader, File Uploader, Object Owner, Session Participant)
actor_owns_assignment (Exam Taker, File Downloader, File Uploader, Object Owner, Session Participant, Task Taker),
actor_owns_assignment_for_task (Exam Taker, File Downloader, File Uploader, Object Owner, Session Participant, Task Taker),
actor_owns_payment (User) 
actor_owns_training_unit_authorization (User),
actor_owns_session_user_role_requirement
actor_owns_session
actor_owns_assignment_or_is_guest
actor_owns_event
actor_owns_credential (Object Owner),
actor_owns_achievement_award (Object Owner),
actor_owns_address (Object Owner),
actor_owns_prmodel (Object Owner),
actor_owns_question_response (Object Owner),
actor_owns_achievement_award_for_achievement (Object Owner),
actor_owns_purchase_order (Owner of purchase order with no payments, Owner of purchase order with payments),

pr_services.authorizer.checks.constraint

actor_is_acting_upon_themselves (Object Owner),
actor_is_adding_allowed_many_ended_objects_to_user
actor_status_check 
actor_is_venue_creator
actees_attribute_is_set_to
actees_foreign_key_object_has_attribute_set_to
populated_exam_session_is_finished (Object Owner'),
actor_actee_enrolled_in_same_session (Instructor),
actor_is_instructor_manager_of_actee (Instructor Manager),
surr_is_of_a_particular_sur
assignment_is_not_video

pr_services.authorizer.checks.assignment

actor_assigned_to_session (Object Owner, Session Participant),
actor_assigned_to_event_session (Session Participant),
actor_has_completed_task_prerequisites (Student),
actor_has_completed_assignment_prerequisites (Object Owner),
assignment_attempt_meets_date_restrictions (Object Owner),
assignment_attempt_prerequisites_met (Object Owner),
assignment_prerequisites_met
assignment_venue_matches_actor_preferred_venue
actor_assigned_to_curriculum_enrollment (Object Owner),

pr_services.authorizer.checks.payment

refund_does_not_exceed_payment (Admin), 
purchase_order_has_no_payments (Owner of purchase order with no payments),
purchase_order_has_payments (Owner of purchase order with payments),

pr_services.authorizer.checks.product_line

actor_is_product_line_manager_of_session_template (Product Line Manager),
actor_is_product_line_manager_of_user (Product Line Manager),
actor_is_product_line_manager_of_product_line (Product Line Manager),
actor_is_product_line_manager_of_session (Product Line Manager),

It would also be necessary to qualify which suite the methods are in when defining roles. The import machinery in the authorizer would be trivial to implement this way.

ie. 

    methods = [
        {'name' : 'membership.actor_member_of_group', 'params' : {'group_id' : group.id}},
        {'name' : 'payment.refund_does_not_exceed_payment', 'params' : {}},
    ]