0000166: actions should be shown based on permission

(0000597)
shaddy (reporter)
2008-10-22 22:59

how can we do this?

(0000643)
carlos (developer)
2008-12-09 11:59
edited on: 2008-12-09 12:00

On core/amin/modules/userbrowser.php, lines 110-131. I get the user information to get his permission_set and then I switch over it and depending on the permission I display one drop-down menu or another. This would be a sample code.

global $lms;
$user_info = '';
if (isset($_SESSION['TRELLIS_user_id']) and $_SESSION['TRELLIS_user_id'])
{
    $user_info = $lms->get_user($_SESSION['TRELLIS_user_id']);
    print_r ($user_info);

}
$filter_fields = array('u.user_id' => 'User ID', 'u.username' => 'Username', 'u.last_name' => 'Last Name', 'u.first_name' => 'First Name', 'u.email_address' => 'Email Address', 'prms.permission_set_name' => 'Permission Set');
switch($user_info ['permission_set_id'])
{
    case 1:
        $action_options = array('register' => 'Register', 'editstatus' => 'Edit Status', 'changegroup' => 'Change Group/Permissions');
    break;
    case 0:
        $action_options = array('register' => 'Register', 'editstatus' => 'Edit Status');
        break;
    default:
        $action_options = array('register' => 'Register');
        break;
}

(0000644)
james (administrator)
2008-12-09 12:21

The issue is more specific than what permission set a user has. It should be related to the actual actions available and what permission a user must have in order to perform each individual action. Plus we can not predict what permission as user has based on the permission id only.

(0000645)
james (administrator)
2008-12-09 12:45

Here's what I was thinking:
In the admin browsers, an key/value array is created which contains the value, title and permission required to perform the action:
$available_actions = array(
   array('value' => 'editstatus',
         'title' => 'Edit Status',
         'permission' => 'edit_user_info'),
   array('value' => 'changegroup',
         'title' => 'Change Group',
         'permission' => 'edit_user_info')
);

This array is then run through a function that will loop through the available actions and check if the current user has the permission required. The function will then return an array of action options.

ex:
$action_options = get_action_options($available_actions);

so if I had the edit_user_info permission, the result would be:
$action_options = array('editstatus' => 'Edit Status', 'changegroup' => 'Change Group');

if I didn't:
$action_options = array();

(0000646)
carlos (developer)
2008-12-09 13:22

Do you think it would be a good idea to have the permissions field of the array as another array? This way, the same action could be accessible from several permissions.

Ex.
$available_actions = array(
   array('value' => 'editstatus',
         'title' => 'Edit Status',
         'permission' => array('edit_user_info')),
   array('value' => 'changegroup',
         'title' => 'Change Group',
         'permission' => array('edit_user_info','change_group_users'))
);

The same function that you mentioned that would loop through the available actions would check if the user has any of those permissions required, looping through the permissions array also. We could also think about what if an action requires more than one permission. Should we have them in the same cell of the permissions array separated by commas? Like this.

Ex.
$available_actions = array(
   array('value' => 'editstatus',
         'title' => 'Edit Status',
         'permission' => array('edit_user_info,change_group_users')),
   array('value' => 'changegroup',
         'title' => 'Change Group',
         'permission' => array('edit_user_info','change_group_users'))
);

This would mean that you can only edit the status if you have the edit_user_info permission and the change_group_users permission. On the other hand, you can only change the group if you have edit_user_info or change_group_user permission, but you do not need both.

(0000742)
henry (developer)
2009-03-11 17:39

I agree with James' solution. Regarding Carlos' suggestions, evaluating multiple permissions for an action is not necessary because Trellis' object oriented design makes only one permission necessary for any given task.

(0000743)
james (administrator)
2009-03-11 18:00

proceed to create the get_action_options function and update the $available_actions array for each necessary browser module

(0000752)
vcs (reporter)
2009-03-12 11:42

issue#166

added get_action_options function that checks a list of actions against the user's permissions

Repository: /var/svn/trellis-dev, Revision: 8565, Committer: henry

(0000753)
vcs (reporter)
2009-03-12 12:03

issue#166

debugged

Repository: /var/svn/trellis-dev, Revision: 8566, Committer: henry

(0000754)
vcs (reporter)
2009-03-12 12:06

issue#166

debugged

Repository: /var/svn/trellis-dev, Revision: 8567, Committer: henry

(0000755)
vcs (reporter)
2009-03-12 12:09

issue#166

modified coursebrowser, userbrowser, regbrowser and userprogrambrowser to utilize get_action_options for permission-based actions

Repository: /var/svn/trellis-dev, Revision: 8568, Committer: henry

(0000756)
vcs (reporter)
2009-03-12 12:13

issue#166

fixed typo with variable name

Repository: /var/svn/trellis-dev, Revision: 8569, Committer: henry

(0000763)
vcs (reporter)
2009-03-13 10:23

issue#166

fixed to correct permission name for action

Repository: /var/svn/trellis-dev, Revision: 8573, Committer: henry

(0000765)
vcs (reporter)
2009-03-13 15:06

issue#166

fixed to correct permission name for action

Repository: /var/svn/trellis-dev, Revision: 8576, Committer: henry

Notes
(0000597) shaddy (reporter) 2008-10-22 22:59	how can we do this?

(0000643) carlos (developer) 2008-12-09 11:59 edited on: 2008-12-09 12:00	On core/amin/modules/userbrowser.php, lines 110-131. I get the user information to get his permission_set and then I switch over it and depending on the permission I display one drop-down menu or another. This would be a sample code. global $lms; $user_info = ''; if (isset($_SESSION['TRELLIS_user_id']) and $_SESSION['TRELLIS_user_id']) { $user_info = $lms->get_user($_SESSION['TRELLIS_user_id']); print_r ($user_info); } $filter_fields = array('u.user_id' => 'User ID', 'u.username' => 'Username', 'u.last_name' => 'Last Name', 'u.first_name' => 'First Name', 'u.email_address' => 'Email Address', 'prms.permission_set_name' => 'Permission Set'); switch($user_info ['permission_set_id']) { case 1: $action_options = array('register' => 'Register', 'editstatus' => 'Edit Status', 'changegroup' => 'Change Group/Permissions'); break; case 0: $action_options = array('register' => 'Register', 'editstatus' => 'Edit Status'); break; default: $action_options = array('register' => 'Register'); break; }

(0000644) james (administrator) 2008-12-09 12:21	The issue is more specific than what permission set a user has. It should be related to the actual actions available and what permission a user must have in order to perform each individual action. Plus we can not predict what permission as user has based on the permission id only.

(0000645) james (administrator) 2008-12-09 12:45	Here's what I was thinking: In the admin browsers, an key/value array is created which contains the value, title and permission required to perform the action: $available_actions = array( array('value' => 'editstatus', 'title' => 'Edit Status', 'permission' => 'edit_user_info'), array('value' => 'changegroup', 'title' => 'Change Group', 'permission' => 'edit_user_info') ); This array is then run through a function that will loop through the available actions and check if the current user has the permission required. The function will then return an array of action options. ex: $action_options = get_action_options($available_actions); so if I had the edit_user_info permission, the result would be: $action_options = array('editstatus' => 'Edit Status', 'changegroup' => 'Change Group'); if I didn't: $action_options = array();

(0000646) carlos (developer) 2008-12-09 13:22	Do you think it would be a good idea to have the permissions field of the array as another array? This way, the same action could be accessible from several permissions. Ex. $available_actions = array( array('value' => 'editstatus', 'title' => 'Edit Status', 'permission' => array('edit_user_info')), array('value' => 'changegroup', 'title' => 'Change Group', 'permission' => array('edit_user_info','change_group_users')) ); The same function that you mentioned that would loop through the available actions would check if the user has any of those permissions required, looping through the permissions array also. We could also think about what if an action requires more than one permission. Should we have them in the same cell of the permissions array separated by commas? Like this. Ex. $available_actions = array( array('value' => 'editstatus', 'title' => 'Edit Status', 'permission' => array('edit_user_info,change_group_users')), array('value' => 'changegroup', 'title' => 'Change Group', 'permission' => array('edit_user_info','change_group_users')) ); This would mean that you can only edit the status if you have the edit_user_info permission and the change_group_users permission. On the other hand, you can only change the group if you have edit_user_info or change_group_user permission, but you do not need both.

(0000742) henry (developer) 2009-03-11 17:39	I agree with James' solution. Regarding Carlos' suggestions, evaluating multiple permissions for an action is not necessary because Trellis' object oriented design makes only one permission necessary for any given task.

(0000743) james (administrator) 2009-03-11 18:00	proceed to create the get_action_options function and update the $available_actions array for each necessary browser module

(0000752) vcs (reporter) 2009-03-12 11:42	issue#166 added get_action_options function that checks a list of actions against the user's permissions Repository: /var/svn/trellis-dev, Revision: 8565, Committer: henry

(0000753) vcs (reporter) 2009-03-12 12:03	issue#166 debugged Repository: /var/svn/trellis-dev, Revision: 8566, Committer: henry

(0000754) vcs (reporter) 2009-03-12 12:06	issue#166 debugged Repository: /var/svn/trellis-dev, Revision: 8567, Committer: henry

(0000755) vcs (reporter) 2009-03-12 12:09	issue#166 modified coursebrowser, userbrowser, regbrowser and userprogrambrowser to utilize get_action_options for permission-based actions Repository: /var/svn/trellis-dev, Revision: 8568, Committer: henry

(0000756) vcs (reporter) 2009-03-12 12:13	issue#166 fixed typo with variable name Repository: /var/svn/trellis-dev, Revision: 8569, Committer: henry

(0000763) vcs (reporter) 2009-03-13 10:23	issue#166 fixed to correct permission name for action Repository: /var/svn/trellis-dev, Revision: 8573, Committer: henry

(0000765) vcs (reporter) 2009-03-13 15:06	issue#166 fixed to correct permission name for action Repository: /var/svn/trellis-dev, Revision: 8576, Committer: henry

Issue History
Date Modified	Username	Field	Change
2008-10-22 17:04	james	New Issue
2008-10-22 22:59	shaddy	Note Added: 0000597
2008-10-22 22:59	shaddy	Status	new => confirmed
2008-12-09 11:59	carlos	Note Added: 0000643
2008-12-09 12:00	carlos	Note Edited: 0000643
2008-12-09 12:21	james	Note Added: 0000644
2008-12-09 12:45	james	Note Added: 0000645
2008-12-09 13:22	carlos	Note Added: 0000646
2009-03-11 17:17	james	Relationship added	has duplicate 0000202
2009-03-11 17:39	henry	Note Added: 0000742
2009-03-11 17:58	james	Status	confirmed => assigned
2009-03-11 17:58	james	Assigned To	=> henry
2009-03-11 18:00	james	Note Added: 0000743
2009-03-12 11:42	vcs	Checkin
2009-03-12 11:42	vcs	Note Added: 0000752
2009-03-12 12:03	vcs	Checkin
2009-03-12 12:03	vcs	Note Added: 0000753
2009-03-12 12:06	vcs	Checkin
2009-03-12 12:06	vcs	Note Added: 0000754
2009-03-12 12:09	vcs	Checkin
2009-03-12 12:09	vcs	Note Added: 0000755
2009-03-12 12:13	vcs	Checkin
2009-03-12 12:13	vcs	Note Added: 0000756
2009-03-13 10:23	vcs	Checkin
2009-03-13 10:23	vcs	Note Added: 0000763
2009-03-13 15:06	vcs	Checkin
2009-03-13 15:06	vcs	Note Added: 0000765