Loris icon indicating copy to clipboard operation
Loris copied to clipboard

Published 20 hours ago verified publisher icon aces

[roles_manager] new module

Open regisoc opened this issue 1 year ago • 2 comments

Brief summary of changes

Extract of #8929. Contains only the roles_manager module and other necessary items.

Roles are pre-configured sets of permissions automatically assigned when the user is given a new role. This feature allows managers/coordinators to assign permissions to users based on their roles in a study.

New:

  • A main table managing roles and their associated permissions.
  • If users are attributed to a role, changing permissions of that role will trigger the update of user permissions for all user having this role.
  • A tool fix_role_anomalies to fix anomalies detected between user/role/permission tables and *_rel. E.g. in case a role-permission is inserted but corresponding user-permissions are not.
  • Added tables: roles, user_role_rel, role_permission_rel.

Future changes:

  • should include change in the user_accounts module. This module mainly focuses changes on roles and role-permissions. Users that are already assigned to a role will have a permission update once these role permissions are updated. No user-role assignation is done through this module.
  • tests are present for Role lib but not for the role manager at the moment.
  • permission_categories makes no sens when Roles will be fully integrated. References should be removed and permission categories will become roles.

Testing instructions (if applicable)

Module:

  1. Apply patch SQL/New_patches/2024-02-13_roles_modules.sql.
  2. Go to LORIS front-end > Admin > Roles Manager.
  3. Use test plan.

Tool:

  1. Use with php tools/fix_role_anomalies.php, check that it matches was is needed in db.
  2. Use confirm option to perform the change in db, check that it was succesfully done.

Link(s) to related issue(s)

Linked to #7416

regisoc avatar Feb 14 '24 13:02 regisoc

@driusan should be good for review once automated tests are ok.

regisoc avatar Feb 14 '24 14:02 regisoc

Also, I thought about what we discuss on the User::hasPermission method change. Not sure this change is necessary because the whole role-user-permission system is dynamic. When checking if a user has a permission, the call UserPermission::hasPermission checks the user_perm_rel table. We should not have to check all roles for that user because the user_perm_rel table should be up-to-date when roles are modified, meaning changing role-permission rel when users are affected to this role will trigger a user-permission check. Maybe I am missing something, let me know.

regisoc avatar Feb 14 '24 14:02 regisoc