Management of users |
User account is probably the most important entity type in the AskiaPortalCmn API.
All actions are done by a user.
The current user
(IContextUser) is always test to determine
if the user is allowed to do the action or the settings to
apply while doing the action etc...
AskiaPortalCmn API tries to be convenient, as much as possible, to cover all use cases (a user editing is own account, an administrator editing another user account...)
This topic contains the following sections:
User accountA user account could have different kind of role in AskiaPortal. It could be:
A user account contains different kind of data. Some of them are editable by the user himself, some of them are editable by an administrator and some other are only editable by a super-administrator.
The API take care about the difference of data and uses a simple-stupid pattern/rule to mark the distinction between them:
All read-write IUser properties are editable by the user himself or by an administrator.
All read-only data IUser properties that require a method as a setter require administrative privilege.
The exceptions of that rules are for few methods like: Delete(Boolean), ChangePassword(String, String, String), TouchLastConnectionAt, etc... that doesn't require an administrative privilege and that could be done by the user himself.
Groups membership
A group of users is an abstract
helper to select
several users in one go.
A group of users, could contains one or several groups of users ( IGroupParentId).
There is no hard-coded limitation on the depth nested groups level.
A user is member of only one.
SettingsSettings of user (or user profile) are additional/extensible data available per user and per module.
It could be settings set by administrators to filter the user interface of a module.
Or it could be user preferences that could be changed by the current user itself.
 Security Note |
|---|
At the API level, the current user is allowed to edit his own settings. But the settings could be protected at the user interface level. If the settings requires to be protected at the API level, prefer the usage of the user permissions. |
Modules accessA user is allowed to access modules according to the table UsersModules.
Super-administrators or users with permission to accessAllModules are allowed to access all modules.
AskiaPortalCmn API automatically check if the current user (in the context) is allowed to access the current module.
There are special modules in the AskiaPortalCmn API:
- AskiaPortal
This main module is accessible by everybody.
This module is mostly use to manage the AskiaPortal login/registration pages and the main application pages.
- Administration
This module should be accessible by administrators.
This module gives an access to the Administration part of AskiaPortal.
- Home
This module should be accessible by everybody.
This is the module displayed by default.
User profilesBecause a user could be on several groups, it could not inherits settings or modules access from the group.
User profile
is a way to
provide inheritance feature for the users.
A user could or not inherit from a user profile.
Settings or Modules access could be override at the user level.
PermissionsAll permissions are apply on user and never on group.
A user could be set as a super-administrator (IUserIsSuperAdmin).
A super-administrator is granted to access everything, subsequent permissions are never checked in this case.
A user have only one permission per type of permission.
The standard permission rule in AskiaPortalCmn is:
IF a user have enough permission AND can access the item,
THEN it can manage the item
For example:
IF the user can create and edit users AND only managed the group 'A' THEN it can create and edit users in the group 'A' only
There are 2 kinds of permission item:
Boolean permissions
Permissions that could be tested as boolean value (ex: PermissionTo)
For example:
- manageAllGroups
Can manage all groups?
- accessAllModules
Can access all modules?
- reachEverybody
Can reach everybody?
- createSurveys
Can create surveys?
Permissions with level
Permissions with level of access (ex: AccessTo)
The level are defined by this enumerator AccessLevel
Permission | Description |
|---|---|
0: None | Not allowed to access this type of items |
1: ReadOnly | Allowed to access this type of items, but not allowed to edit or create it. |
2: EditOnly | Allowed to only edit this type of items, but not allowed to create, delete or restore it. |
3: CreateAndEdit | Allowed to create and edit this type of items, but not allowed to delete or restore it. |
FullControl | Full control on this type of items. Allowed to create, edit, delete or restore it. |
For example:
- groups
Can view, read, edit, create or have full control on groups?
- users
Can view, read, edit, create or have full control on users?
Manageable groupsA user is allowed to manage groups according to the table ManagedGroups.
Super-administrators or users with permission to manageAllGroups are allowed to manage all groups.
The property CreatedBy of IGroup doesn't have an impact on the manageable groups.
- Permission to only read groups
This permission disallow the user to edit groups BUT it's dissociated to the permission to create or edit users ( AccessToUsers).
- Permission to create and edit groups
The user can manage all groups.
In such case, he can create root groups or descendant groups everywhere.
The user is not allowed to managed all groups but few of them.
In such case, he can only create descendant of his manageable groups.
By side effects, new group is naturally editable by the user who just create it.
- Permission to delete groups
A user can delete all of his manageable groups.
There are however some exceptions:
Administrators group
(Id=1) cannot be deletedDefault group
(1) cannot be deletedThe API will refuse to produce orphan users (users without group)
(1) The default group
is the group automatically assign to new registered users.
It's the one defined in configuration.
Manageable usersA user is allowed to manage users of his manageable groups.
Super-administrators or users with permission to manageAllGroups are allowed to manage all users.
The property CreatedBy of IUser doesn't have an impact on the manageable users.
- Permission to create and edit users
A user can create or edit a user into all of his manageable groups.
There are however many exceptions:
The current user can register/create himself (Context for registration).
The current user can activate himself (Context for activation).
The current user can edit all the non-administrative information of his own account.
The current user (even a super-administrator) cannot edit his own administrative information.
The current user (not a super-administrator) cannot edit a super-administrator.
The current user (even a super-administrator) cannot edit the default super-administrator (Id=1).
The current user cannot promote another user as super-administrator, if he's not himself a super-administrator.
The current user cannot demote a super-administrator, if he's not himself a super-administrator.
The default super-administrator (Id=1) cannot be demote.
The current user cannot transfer a user to a group, if he (the current user) can himself manage the group.
The current user cannot allow or disallow a permission, if he (the current user) don't have the permission himself.
- Permission to delete users
A user can delete a user into all of his manageable groups.
There are however some exceptions:
The current user can delete himself.
The current user (not a super-administrator) cannot delete a super-administrator.
The current user (even a super-administrator) cannot delete the default super-administrator (Id=1).
Reachable groups/usersA user can share with all reachable groups/users defined in the database table ReachableGroupsAND all users/groups of his membership groups.
Super-administrator or user that have the permission to reachEverybody can share with everybody.
See Also