I'm trying to take out the form-builder-permissions.xml file and find a
different way to map the roles. Maybe have them in a database. Is there a
way to do this? The reason we need to get rid of
form-builder-permissions.xml is that there will be too many roles to list.
The goal is for everything regarding roles to be in a database as opposed to
being hard-coded. Any direction would be great.
At this point there isn't a way to have those permissions defined in a place
other than `form-builder-permissions.xml`. This is to say that this would
need to be implemented as a new feature. But I am curious: how many roles do
you expect to have, roughly? And could you tell me more about the use case
that calls for that many roles to be defined?
Thank you for your insight. We would have thousands of roles - we are using
Orbeon Forms for several different agencies to have several of roles within
them. The plan now is to block access to restricted resources within our
program so that we don't actually need Orbeon to have roles. We're just
starting on that now! So hopefully that comes together well.
I can see the approach you describe work for cases where you want to prevent
form authors from accessing certain existing forms.
A minor downside is that when users try to access a page, say
`/fr/orbeon/builder/edit/123`, you'll need to call the Orbeon Forms API to
know what the app/form for `123` is before you can know whether to let the
user through or not.
More importantly, the following might be showstoppers:
1. You can't use the Form Builder summary page.
2. You can't really use the new page, since you can't restrict the app/form
name users enter.
So our plan involves a lot of URI parsing to work around the two things you
mentioned there. Since for every new form created, the URI will start with
"/fr/orbeon/builder/new", we have that as an acceptable URI.
As far as the new form summaries go, since the URI for a summary is
"/fr/app/form/summary", we are only going to have a few apps that we allow
to pass through, and from there we are going to let our program that we are
connecting Orbeon Forms to block everything that isn't a form saved in our
database to that app. With this part I don't know if I'm explaining it as
well as it was explained to me, just because I don't fully understand how we
are going to keep all of our users from viewing whatever form they want just
by writing in a different URL.
Blocking the overall summary page "/fr/" from end users is something we
absolutely want to do.
Our workaround seems like it's fine for like broke-stroke blocking, but I
don't know how tricky it will be within our program to track who can see
I will definitely post back when we work this out!