Dear Theodoros, Il domenica 25 gennaio 2009 20:56:44 [email protected] ha scritto: > I really appreciate your prompt (and pretty detailed) reply! You've > given me many ideas about what can be done with Invenio :) > > I understand that CERN has a quite complex access restriction system, > and I can imagine that there is very good reason for that, but for the > rest of us, who would like to use the standard webaccess subsystem, > why the (already built-in) submit action has no effect on who is > allowed to submit which doctypes? > > Again, I hope that I'm missing something, because I cannot believe > that such a basic feature is left out... The logic is there, you've > done something similar that works for approvals, so, for example, you > could check which doctypes the specific logged-in user is allowed to > submit when the user clicks the 'submit' tab, and THEN build the tree > with only the allowed ones (if any) or simply show a warning that this > specific user is not allowed to submit any documents! > > I've built several new doctypes for my institution, modified/created a > couple websubmit functions to work with our needs, and I now have to > release the site to the public, soon. I spent some time experimenting > with webaccess, and having worked out some initial problems with the > referees, I'm now stuck at this, that could invalidate the whole > project :( > > Is there a quick and dirty way to disallow (by default) ALL logged in > users from submitting to ANY doctype, and then handle this > authorization to only certain users?
you can indeed use webaccess to protect your submissions but currently not
with a global deny all and a whitelist. What you can do is protecting
submission by submission (doctype, e.g.: DEMOART...), and action by action
(act, e.g.: SBI, MBI, FFT...), your submissions, by authorizing specific
roles.
To do this:
* first identify which group/team of users you wish to be able to submit,
* create the corresponding roles, by connecting users explicitly to the role,
or by using FireRole rules to describe implicitly the users you wish to be
part of the role, (e.g. DEMOART_SUBMITTERS)
* given e.g. a submission named DEMOART, with an action SBI, you can now
authorize with WebAccess the DEMOART_SUBMITTERS to submit to DEMOART, by
connecting the DEMOART_SUBMITTERS role, to the WebAccess action "submit"
specifying doctype=DEMOART, and act=SBI. (see the attachment)
After this, the action SBI of DEMOART will be protected, and available only to
members of the role DEMOART_SUBMITTERS.
Note that you can authorize a role to more than one authorization, so you
don't need to create as many roles as all the combinations of
submission-doctypes x submission-acts.
Please let us know in case you need further clarifications.
Best regards,
Samuele
--
.O.
..O
OOO
<<authorize.png>>
