Form Builder Access in 4.0

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Form Builder Access in 4.0

charles.thomas

Sirs:

 

I am trying to restrict the building of forms in certain applications to specified users.  I followed the instructions in “Documentation > II. Developer and Administration Guide > Form Runner > Form Runner Access Control > 4 Access control for editing forms” at http://wiki.orbeon.com/forms/doc/developer-guide/form-runner/access-control.  I am working with orbeon-4.0.0.201302221940-PE.

 

I want only users who have the role “argo-app1-form-editor” to be able to create or modify forms in application “ArgoApp1” and only users who have the role “argo-app2-form-editor” to be able to create or modify forms in application “ArgoApp2”.  This seems to work. 

 

One problem I am having is, when I assign the same user to both roles, the Form Builder Summary Screen shows only the forms in one application.  So, by looking at this Summary Screen, the user does not see that he can modify forms in the other application he has permission to modify.  If I click “Show search options”, the Application Name box drop-down-list does show both application names, and selecting the second application makes the forms in that application appear in the list.  The statement in the documentation, “The Form Builder summary page will only show forms the users have access to” is correct; however, the summary page does not show all the forms the user has access to.  So the user does not have an overall view of which  forms he can modify.  My first question is, how do I show the user all the forms he has permission to update?  Or, how do I prompt him to search for more?

 

The second problem I am having is, when this user clicks the “New” button on the Form Builder Summary Screen, the pop-up that appears lists both applications the user has permission to change, but it limits him to just those applications.  The user has no way to create a new application or forms in a new application.  Defining that a user has permission to create/update forms in specified applications should not prevent his creating a new application to contain new forms.   I guess it would be possible to set up the  user’s permission to create/update forms in the new application before the new application is created, but this seems backwards.  The form author should be able to create a new application and forms, and then set the security that applies to them.  My second question is, how do I allow a user who has permission to create/update forms in a specified application to create a new application and forms in a the new application?

I tried adding another “overall-editor” role and assigning the user to it with the following entries:

In tomcat-users.xml         <role rolename="argo-overall-form-editor"/>

<user username="thomacha" password="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" roles="orbeon-user,orbeon-form-builder-role1,argo-app1-role,argo-app2-role,argo-app1-form-editor,argo-app2-form-editor,argo-overall-form-editor"/>

 

In form-builder-permissions.xml

<role name="argo-overall-form-editor" app="*" form="*"/>

 

But, it did not solve my problem.

 

Thank you.

 

Here are my form-builder-permissions.xml entries:

 

               <role name="argo-app1-form-editor" app="ArgoApp1" form="*"/>

               <role name="argo-app2-form-editor" app="ArgoApp2" form="*"/>

 

Here are my tomcat-users.xml entries:

 

               <role rolename="orbeon-user"/>

               <role rolename="orbeon-form-builder-role1"/>

               <role rolename="argo-app1-role"/>

               <role rolename="argo-app2-role"/>

               <role rolename="argo-app1-form-editor"/>

               <role rolename="argo-app2-form-editor"/>

               <user username="thomacha" password="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" roles="orbeon-user,orbeon-form-builder-role1,argo-app1-role,argo-app2-role,argo-app1-form-editor,argo-app2-form-editor"/>

               <user username="formUser1" password=" xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx " roles="orbeon-user,argo-app1-role"/>

               <user username="formEditor1" password=" xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx " roles="orbeon-user,argo-app1-role,orbeon-form-builder-role1,argo-app1-form-editor"/>

 

Here are my properties-local.xml entries:

 

               <!-- Enable Container-Driver security roles -->

               <property as="xs:string" name="oxf.fr.authentication.method" value="container"/>

              

               <!-- Specify possible security roles -->

               <property as="xs:string" name="oxf.fr.authentication.container.roles"

                                             value="orbeon-user argo-app1-role argo-app2-role orbeon-form-builder-role1 argo-app1-form-editor argo-app2-form-editor"/>

 

Here are my /orbeon/WEB-INF/web.xml entries:

 

    <security-constraint>

               <web-resource-collection>

                              <web-resource-name>Form Runner pages</web-resource-name>

                              <url-pattern>/fr/*</url-pattern>

               </web-resource-collection>

               <auth-constraint>

                              <role-name>orbeon-user</role-name>

               </auth-constraint>

    </security-constraint>

    <!-- Try limiting access to Form Builder to user orbeon-form-builder-role1 -->

    <security-constraint>

               <web-resource-collection>

                              <web-resource-name>Form Builder</web-resource-name>

                              <url-pattern>/fr/orbeon/builder/*</url-pattern>

               </web-resource-collection>

               <auth-constraint>

                               <role-name>orbeon-form-builder-role1</role-name>

               </auth-constraint>

    </security-constraint>

    <!-- Try limiting access to ArgoApp1 in Form Runner to user argo-app1-role -->

    <security-constraint>

               <web-resource-collection>

                              <web-resource-name>ArgoApp1</web-resource-name>

                              <url-pattern>/fr/ArgoApp1/*</url-pattern>

               </web-resource-collection>

               <auth-constraint>

                              <role-name>argo-app1-role</role-name>

                              </auth-constraint>

    </security-constraint>

    <!-- Try limiting access to ArgoApp2 in Form Runner to user argo-app2-role -->

    <security-constraint>

               <web-resource-collection>

                              <web-resource-name>ArgoApp2</web-resource-name>

                              <url-pattern>/fr/ArgoApp2/*</url-pattern>

               </web-resource-collection>

               <auth-constraint>

                              <role-name>argo-app2-role</role-name>

                              </auth-constraint>

    </security-constraint>

 

    <security-role>

               <role-name>orbeon-user</role-name>

               <role-name>orbeon-form-builder-role1</role-name>

               <role-name>argo-app1-role</role-name>

               <role-name>argo-app2-role</role-name>

    </security-role>

 

Here are my Tomcat server.xml entries:

<Realm className="org.apache.catalina.realm.LockOutRealm">

               <!-- This Realm uses the UserDatabase configured in the global JNDI

                              resources under the key "UserDatabase".  Any edits

                              that are performed against this UserDatabase are immediately

                              available for use by the Realm.  -->

                              <Realm className="org.apache.catalina.realm.UserDatabaseRealm"

                                                            digest="MD5"

                                                            resourceName="UserDatabase"/>

               </Realm>

 

--------------------------------------------------- Confidentiality Notice: This electronic mail transmission is confidential, may be privileged and should be read or retained only by the intended recipient. If you have received this transmission in error, please immediately notify the sender and delete it from your system.

--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: Form Builder Access in 4.0

Alessandro  Vernet
Administrator
Hi Charles,

First, thank you for the detailed report. This is really helpful.

1. About not all the form showing in Form Builder's summary page - When permissions are enabled, only the forms in the "first" app you have access to are shown. Click on "Show more options", and you'll see a drop-down listing the apps you have access to. That first app will be selected. If you want to forms from another app, select it there, and hit search, and the forms in that app will show.

Now, I agree, ideally, there would be an entry in that drop-down that says "all apps (I have access to)", and it would be the one selected by default. This is of course doable, but isn't exactly trivial, and this is why we didn't get to implement it yet. I added an RFE for this:

https://github.com/orbeon/orbeon-forms/issues/878

2. Creating new apps - What would be the logic there? You're saying that if I have access to apps A and B, I should be able to create forms in C, but only if there are no existing forms in C? If that is the case, then going to the summary page, you wouldn't be able to access that form in the app C, since you don't have access to it. And you wouldn't be able to create any additional form in C. That wouldn't make much sense, would it?

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Reply | Threaded
Open this post in threaded view
|

RE: Re: Form Builder Access in 4.0

charles.thomas
Alex,
 
Thank you for the fast reply and for taking the time to really read my questions.
 
About Number 2 Creating New Apps:  The idea is that I, as the main form developer for the company, developed forms for the Lending Department (application = "Lending") and set up security so that in order to change the Lending Department Forms a departmental form author needs to have the "lend-form-edit" role.  So, I assigned myself the "lend-form-edit-role".  However, that prevented my authoring forms for the Accounts Payable Department (application = "Payables").  By specifying that an author must be in the "lend-form-edit role" in order to create/update forms for the Lending Department, I am not saying that the same author cannot access other Department's forms, just that he must have this role to access this Department's forms.
 
I continued thinking about the problem after sending the email and came up with what appears to solve the problem.  It seems to work, please let me know if it makes sense to you.  Here is what I did.
 
        (1) I defined a new role "argo-overall-form-editor" in the tomcat-user.xml and assigned that role to myself along with the roles I previously had (I     probably could  have removed all the other form-editor roles I had, but I did not).
 
        <role rolename="argo-overall-form-editor"/>
 
        <user username="thomacha" password="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" roles="orbeon-user,orbeon-form-builder-role1,argo-app1-          role,argo-app2-role,argo-app1-form-editor,argo-app2-form-editor,argo-overall-form-editor"/>
 
        (2) Then I added the new role to the list of security roles in the properties-local.xml file.
 
        <property as="xs:string" name="oxf.fr.authentication.container.roles"
                        value="orbeon-user argo-app1-role argo-app2-role orbeon-form-builder-role1 argo-app1-form-editor argo-app2-form-editor                           argo-overall-form-editor"/>
 
        (3) Then I gave the new role access to all applications and forms in the form-builder-permissions.xml file.
 
        <role name="argo-overall-form-editor" app="*" form="*"/>
 
Now when I go to the Form Builder Summary screen I see all the forms in all applications and can create new applications and forms.  Does this seem right to you?
 
Thank you,
Charles
 
-----Original Message-----
From: Alessandro Vernet [[hidden email]]
Sent: Thursday, March 14, 2013 8:11 PM
To: [hidden email]
Subject: [ops-users] Re: Form Builder Access in 4.0
 
Hi Charles,
 
First, thank you for the detailed report. This is really helpful.
 
1. About not all the form showing in Form Builder's summary page - When permissions are enabled, only the forms in the "first" app you have access to are shown. Click on "Show more options", and you'll see a drop-down listing the apps you have access to. That first app will be selected. If you want to forms from another app, select it there, and hit search, and the forms in that app will show.
 
Now, I agree, ideally, there would be an entry in that drop-down that says "all apps (I have access to)", and it would be the one selected by default.
This is of course doable, but isn't exactly trivial, and this is why we didn't get to implement it yet. I added an RFE for this:
 
 
2. Creating new apps - What would be the logic there? You're saying that if I have access to apps A and B, I should be able to create forms in C, but only if there are no existing forms in C? If that is the case, then going to the summary page, you wouldn't be able to access that form in the app C, since you don't have access to it. And you wouldn't be able to create any additional form in C. That wouldn't make much sense, would it?
 
Alex
 
 
 
--
Sent from the Orbeon Forms (ops-users) mailing list archive at Nabble.com.
 
--------------------------------------------------- Confidentiality Notice: This electronic mail transmission is confidential, may be privileged and should be read or retained only by the intended recipient. If you have received this transmission in error, please immediately notify the sender and delete it from your system.


--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws
Reply | Threaded
Open this post in threaded view
|

RE: Re: Form Builder Access in 4.0

Alessandro  Vernet
Administrator
Hi Charles,

So your looks something like:

<role name="argo-overall-form-editor" app="*" form="*"/>
<role name="argo-app1-role" app="app1" form="*"/>
<role name="argo-app2-role" app="app2" form="*"/>


If that is the case, yes, I think this is the way to go. I think that a downside of the "cumulative permissions" system we use is that you can't say something like "anyone can access any app, except app=secret-app, which requires role=nsa-role".

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Reply | Threaded
Open this post in threaded view
|

RE: RE: Re: Form Builder Access in 4.0

charles.thomas
Thank you.

-----Original Message-----
From: Alessandro Vernet [mailto:[hidden email]]
Sent: Tuesday, March 19, 2013 7:41 PM
To: [hidden email]
Subject: [ops-users] RE: Re: Form Builder Access in 4.0

Hi Charles,

So your looks something like:

<role name="argo-overall-form-editor" app="*" form="*"/> <role name="argo-app1-role" app="app1" form="*"/> <role name="argo-app2-role" app="app2" form="*"/> …

If that is the case, yes, I think this is the way to go. I think that a downside of the "cumulative permissions" system we use is that you can't say something like "anyone can access any app, except app=secret-app, which requires role=nsa-role".

Alex



--
View this message in context: http://orbeon-forms-ops-users.24843.n4.nabble.com/Form-Builder-Access-in-4-0-tp4656394p4656443.html
Sent from the Orbeon Forms (ops-users) mailing list archive at Nabble.com.
--------------------------------------------------- Confidentiality Notice: This electronic mail transmission is confidential, may be privileged and should be read or retained only by the intended recipient. If you have received this transmission in error, please immediately notify the sender and delete it from your system.


--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws