woeip
woeip copied to clipboard
openoakland
User account management UX
Description
In order to manage permissions and protect the integrity of the data uploaded to the system, we would like to create a user authentication process that covers the following potential use cases:
MVP
- As an anonymous user, I want to create a secure account associated with my personal identity at a logical/low-friction point in the user flow.
- As an account-holder, I want to recover access if I forget my password.
- As an account-holder, I want to sign into my account at a logical/low-friction point in the user flow.
- As the SysAdmin, I want to manage basic account roles and permissions.
Non-MVP
- As an account-holder, I want to edit certain personal details associated with my account.
- As a signed-in user, I want to stay signed in when I return to the site.
- As an account-holder, I want to view my upload/edit history.
- As an anonymous visitor, I want to view the name of the person who uploaded a specific data set.
- As an account-holder, I want to use single sign-on across all WOEIP apps.
- As an anonymous visitor, I want to view the upload/edit history of any user.
- As the SysAdmin, I want to manage advanced account roles and permissions.
Acceptance criteria
- [ ] MVP use cases have been document in user flow diagrams and reviewed by team.
- [ ] UIs for each use case have been wireframed and reviewed by team.
- [ ] Errors/edge cases have been adequately addressed within each flow.
- [ ] Development issues have been created for MVP use cases.
- [ ] New non-MVP issues have been created (and include the 9/6/19 roles & permissions grid created w/ WOIEP).
- [ ] All open questions have been resolved.
Dependencies and assumptions
- Various types of account creation may be considered (social sign-in, SMS authentication, traditional username/password combo, etc).
- Email should not be used as account name (reference)
Related documentation
- 9/6/19 roles & permissions grid
- Requirements doc
- Figma Wires: DRAFT and accompanying prototype
- Original Trello cards: Explore Account Creation Flow; Password Reset; Password Management System;Admin Account
Open questions
- [ ] What are our security requirements/thresholds for security?
- [ ] What potential account-related issues/concerns might our core user group(s) face?
- [ ] How might other flows in the app be impacted by account association/authentication (e.g. sharing maps)?
I'm starting on implementing the basic roles and permissions for MVP.
My current thoughts are:
- Use the DjangoModelPermissionsOrAnonReadOnly DRF permissions setting
- Create Django Group objects for each role, and assign model permissions each group. (described here a little bit)
This should be sufficient for MVP, but also give us a basic framework that we can extend to post-MVP object permissions using something like the Django Guardian extension.
@jayqi Just want to confirm that this is on hold until we finalize some of the design considerations, correct? I'm moving into In Progress regardless, given that we're actively working on those flows.
@wendy-wm-wu: I think we probably need to start breaking this issue out into implementable tickets for each of the MVP bullets:
- Account creation (covered by prototype linked in "Related Documentation" section above)
- Password recovery (covered by #199 which likely needs updating)
- Account sign-in (covered by prototype linked in "Related Documentation" section above)
- SysAdmin management: flow design TBD
I'll try to get to 1 and 3 this week to lift some blockers but if you think the clickable Figma prototype is enough for you to work from for now please feel free to start poking at it.