kcranston
commented
12 years ago It seems like we should have a few possible roles:
- read-only (or, even better, the ability to make a project publicly readable without login): can browse, search and download but no changes
- admin (can create new projects, users, etc)
And then one or more user roles:
- user level 1: can code data, add new OTUs
- user level 2: user level 1 + ability to add new matrices, new characters and character states These are only examples, might make sense to allocate allowable activities in a different way.
mjy
caryfitzhugh
We might consider updating to a gem based authorization/roles project at this point. At present everything actually works except users can view/edit projs (the project record itself) they don't belong to.
I don't see a huge need to change, except perhaps to get some OPENIDesqe functionality integrated (login with my whatever account), and we might position ourselves to better define roles for future feature requests. Comments/thoughts welcome.
Quick overview of the required functionality, the setup is pretty basic:
A request either comes from a logged in user, or it doesn't. All those controllers in /api or /public do not require login, all other controllers require login.
In addition controllers 'admin', 'namespaces', 'image_views' can only be CRUD viewed by a person with is_admin = 1. Other methods internal to them must be accessible in some cases (e.g. autocomplete_for_image_views).
A logged in user can only view resources that belong to a proj that he/she is a member of. This is checked (presently) in the appliccation_controller by comparing the session[:person] to the users in @proj. @proj is currently set on every request (perhaps we could memcache it for a speedup?).