Roles and Permissions in Talia
Created by Daniel. This specs are not complete See also the Technical specs
The Talia Core will have a permission system that integrates with the workflow module. The basic mechanism is as follows:
- Each user account can be assigned one or more roles
- Each role can contain one or more permissions
- There will be some built-in permissions (e.g. upgrade_talia or something like that)
- Other permissions will be tied to workflow actions in the system (e.g. permission to execute "vote" in the peer-review workflow)
The following is a tentative API for the user, roles and permission management:
User objects
The User object will have to have the following methods (in addition to the other methods it nees ;-):
- User#roles - returns a list of the roles of this user
- User#add_role(role) - assigns the given role to the user
- User#remove_role(role = :all) - Removes the given role (or all)
- User#has_role?(role) - true if the user has the given role
- User#has_permission?(permission) - true if the user has the given permission
Role objects
The Role object will have to have at least the following methods:
- Role#users - returns all users that are assigned this role
- Role#permissions - returns all permissions for this role
- Role#add_permission(perm)/Roler#remove_permission(perm = :all) - Add and remove permissions
Permissions
The permissions could work like this:
- TALIA_PERMISSION.PERMISSION - Built-in permissions
- TALIA_PERMISSION.WORKFLOW - May execute all actions for this workflow
- TALIA_PERMISSION.WORKFLOW.ACTION - May execute the given action on the given workflow
The constants will be created dynamically. Talia doesn't check if the workflow or action actually exist, if they don't the permission has no effect.
Controller level
At the controller level, it should be possible to check if a user has the permission to modify a given source. E.g. (simple example)
def show @source = Source.find(params[:id]) unless(has_permssion(@current_user, TALIA_PERMISSION.SHOW, @source)) redirect
