Hi,
So Drew I come here.
Le 26/04/2013 17:46, Drew Wills a écrit :
Julien,
I'm going to move this discussion over to uportal-dev because I think
it's a great one.
So I have some questions about customization permissions that you
introduced, because it's one of our needs and that we already did some
little things, and more I'm trying to make it available in our next
version of uportal (migration from 3.2.4 to 4.x in july/august).
Fantastic. I knew this feature would be of interest to more schools.
We should absolutely talk and coordinate.
I don't think that we are the only uportal deployer who has such needs
but I could describe our context and needs for this case, and what I'm
doing to adapt the version 4.0 to our context.
So I contact you mainly because I seen that you pushed recently one
modification in branch rel-4.0-patch about that and i were interested on
your plans about this feature and to share our experience (since version
2.6) and maybe more.
And so I'm ready to talk, coordinate, share with you.
So firstly I would like to know what are you plans about "customization
permission", because I'm doing this work at this moment for our context
for the version 4.0.x that I'm adapting for the migration of our version
3.2.4, and to say I've modified nearly sames things than you.
For the immediate future, I had no further plans than what I checked
in...
- 2 new permissions, 1 for access to the Add Tab button, 1 for
access to the Customize (gallery) interface
- Users without the permission have the HTML _removed_ in the XSLT
process
- For the Add Tab, there is also a permissions check in the REST API
that prevents a sophisticated user from bypassing the UI with a clever
URL
- The default data says that Authenticated Users may access both
functions (anyone else may not)
- In both cases, this permissions check _replaces_ the
isAuthenticated() check that was in the XSL previously
And this change was added only to 4.1 (master), since existing 4.0
deployments won't have the data, and therefore users would suddenly
loose the ability to personalize their layouts.
But it's easy to pull the changes down to 4.0.x (use $git cherry-pick).
Yes it's exactly what i seen, but I'm working only on 4.0.x branch so I
can't tell about 4.1 version. Just one difference with your changes is
that I've introduced only one rights because in our context only few
user (admin for a school) with fragment owner can modify their layout
and in this case the user must have the Add Tab button with the
Customize interface (gallery), it makes no sence for us to distinct two
permissions. But more, for 4.0.x version (working on 4.0.12-SNAPSHOT) -
in all XSL of the theme - I changed nearly each times the test
$AUTHENTICATED='true' by the test "$AUTHENTICATED='true' and
upAuth:hasPermission('UP_SYSTEM', 'CUSTOMIZE','ALL')" (defined in a xsl
variable) to remove all rights on adding element, moving element,
deleting element when the user doesn't have permission. But now I'm
looking to check such rights on all servlet to avoid problems like you
give with REST API, on that matter, are all such layout modifications
methods only on UpdatePreferencesServlet.java ?
Else to explain our needs, in our context we deploy one portal (with
different virtual domain) for all colleges of our "région" in center of
France, and some higth school of "département" of our "région", it
represents around 200 education's organization with around 100k
students, and for all organization we delegate the rigths to define DLM
of the organization to some peoples, all other people don't have the
rigths to add/modify/delete any element in their layout.
That's a very impressive portal.
Not so impressive, we begin only to have more and more access, but that
i can say is that we are near of the 1 000 000 access on a month and we
doesn't have a lot of applications, only what is needed for young people
in education. Our goal is to centralize all and to avoid that user have
too much to do in configuration were this could be done only once... We
are using grouper for our group management, we developped a grouper UI
more User-friendly to delegate groups management of some users (which
may not have any capabilities in application administration) and it's
completly configurable (we have more than 33k groups) and will use the
smartldap group to get grouper's group in the portal (being in a futur
contribution from ESUP, could be seen on github).
I think this enhancement will serve your needs -- just grant the 2 new
permissions only to the same people who have rights to manage DLM
fragments.
Yes it's exactly what we are looking for, but that's not the only need
it's a little one for us ;), we need to delegate more things, I think
about to publish portlet's preferences/parameters to users inherit from
a DLM, enventually the possibility to describe a portlet template that
could be used to create a real portlet with preferences for user that
doesn't have the right to access on portlet manager. In our context only
a superadmin can create/modify/edit portlets, but we would like to give
the rigths to publish a portlet in a DLM with a context
preference/parameter to the DLM auditors and they herit automatically of
these properties, but with restriction on only some portlets where users
have rights.
So if you want i can share our experience, talk about our needs and
could provide some help in development or other things for this feature.
Yes, please.
I'm especially keen to tap the talent of the French uPortal community
for helping uPortal live up to its potential. I've seen some very
impressive things from them.
Just one precision we are working with ESUP, we are a member of their
organization, and we doesn't want to bypass them, it's not my goal with
this exchange, more they know our context and have a better acknowledge
than us in uPortal.
Please tell us about your requirements and the
enhancements/customizations you've done or are about to do for uPortal
and Apereo portlets. Often there are universities here that would
love to do the same things, but "put them on the back burner" (delay
them) because they believe they'd have to do all the work themselves.
Yes i know we have an example with newsportlet, we have our portlet
maybe not so beautiful and a bit old than yours but with more feature
mainly to delegates rights and publish on users which have good rights
;) But ESUP should make a presentation on apereo conference to give news
from French community maybe you can talk with them.
If you have some questions don't hesitate, also I could provide you some
views of what is working for us, let me know if you are interested.
So I'm ready for any exchange.
drew wills
Thanks
Julien
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/uportal-dev
