Allowed & Blocked entities: link to editting and show blacklisting for remote entities (if allowed)

[GoogleCodeExporter]

Given the configuration:

SP1: Jira, all IdPs allowed
SP2: Google Apps, all IdPs allowed

IdP1: WAYF.dk, all SPs allowed
IdP2: SURFnet, all SPs allowed

|SP1|\-/|IDP1|
      /
|SP2|/-\|IDP2|

When I set Google Apps to only be accessible to SURFnet then:
- the SURFnet allowed SPs should only include Jira and Allow All should be off.
- the Jira allowed IdPs should still be Allow All.
- the WAYF.dk allowed SPs should still be Allow All.

|SP1|---|IDP1|
      \
|SP2|--\|IDP2|

Matching SURFnet issue: https://jira.surfconext.nl/jira/browse/BACKLOG-442

Original issue reported on code.google.com by relaxno...@gmail.com on 11 Jun 2012 at 1:06

[GoogleCodeExporter]

Jacob, I was thinking of making a new configuration item: 
'entity.blocking.mirror' that can have a boolean value.
And then in the applying of edits check whether to mirror the setting, which 
can then do it's magic.

Also I will need a migration script that will mirror the current configuration 
based on the configuration of the SPs.

Do you agree?

Original comment by relaxno...@gmail.com on 11 Jun 2012 at 1:12

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Discussed this with Pieter (from SURFnet) and Jacob (from WAYF), the current 
ACL setup for entities is too complex for the usecase that SURFnet has, where 
only admins access the interface, however it is required for the usecase that 
WAYF has where it is used as a self service environment for IdPs and SPs.

Now Jacob would be open to supporting an alternative ACL by 'flipping the 
switch' on a configuration setting, but this would be quite some work and as 
WAYF would not use, it would make it more prone to errors in new versions of 
JANUS.

Instead the current proposed solution is to change the ACL view from:

-------------

[ ] Allow All
[ ] Allow None

Whitelist
[ ] Some Entity
    https://someentity.example.edu
[ ] Another Entity
    https://anotherentity.example.edu

Blacklist
[ ] Some Entity
    https://someentity.example.edu
[ ] Another Entity
    https://anotherentity.example.edu

-------------

To:

-------------

[ ] Allow All
[ ] Allow None

Whitelist
[ ] Some Entity (BLOCKED)
    <a href="editentity.php?eid=x">https://someentity.example.edu</a>
[ ] Another Entity
    <a href="editentity.php?eid=x">https://anotherentity.example.edu</a>

Blacklist
[ ] Some Entity (BLOCKED)
    <a href="editentity.php?eid=x">https://someentity.example.edu</a>
[ ] Another Entity
    <a href="editentity.php?eid=x">https://anotherentity.example.edu</a>

-------------

Where (BLOCKED) would be appended when the destination entity blocks the 
current entity.
Also all entityIds will be links to the edit screen for that entity.
This will only be added for users that can view all entities. 

Original comment by relaxno...@gmail.com on 18 Jun 2012 at 12:51

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

The (BLOCKED) should be a configurable option, since have business rules, not 
to display this info.

The edit link should also be available if the current user have acces to it, 
even if the user do not have the all entities access.

Original comment by j...@wayf.dk on 18 Jun 2012 at 1:01

• Changed state: Accepted
• Added labels: Milestone-Release1.12
• Removed labels: ****

[GoogleCodeExporter]

(BLOCKED) should be (FORBIDDEN BY IDP) for an SP entity or (FORBIDDEN BY SP) 
for an IdP entity.

Original comment by relaxno...@gmail.com on 18 Jun 2012 at 1:02

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Jacob, should (FORBIDDEN BY ) still be configurable if it will only be added 
for users that can edit the destination entity?

Original comment by relaxno...@gmail.com on 18 Jun 2012 at 1:04

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

It the user can edit the entity, that it is okay to display the entity.

Original comment by j...@wayf.dk on 18 Jun 2012 at 1:14

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

This issue was closed by revision r1128.

Original comment by relaxno...@gmail.com on 19 Jun 2012 at 11:20

• Changed state: Fixed
• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Original comment by relaxno...@gmail.com on 19 Jun 2012 at 11:21

• Changed title: Allowed & Blocked entities: link to editting and show blacklisting for remote entities (if allowed)
• Added labels: ****
• Removed labels: ****