[Dspace-general] Delegate Admins & authorization system
Andrea Bollini
bollini at cilea.it
Mon Dec 5 10:26:15 EST 2005
Hi,
I'm pleased to announce the release of a patch that modifies the
authorization mechanism of DSpace. It introduces a useful implicit
rule for permissions and also a simple realization of a community admin role.
The patch is for today's CVS Head (2005-12-05 11:00 GMT).
This patch makes a new Action available for any DSpace object:
bitstream, bundle, item, collection, community, group.
The Action ADMIN allows any user to perform any other action on the
DSpace object and to set policies on the object.
AuthorizeManager now checks permission to perform an ADMIN action on
DSpace object target when anyone tries to set/create/remove a policy
(this is more appropriate than check for it with a "filter" on webUI).
A new implicit autorization mechanism is introduced by the
AuthorizeManager.isAdmin(Context,DSpaceObject) method called by
AuthorizeManager.authorize().
This mechanism throws the authorization check on the "container" of
the DSpace object.
The containers defined are:
- community: the parent community
- collection: the parent community
- item: the owner collection or the related collection if the item is
a "template"
- bundle: the item where the bundle resides
- bitstream: the bundle where the bitstream resides or, if the
bitstream is not inside any bundle, e.g. is a logo, the related
collection or community
- group: if the group is a workflow, submitter or admin group the
related collection (or community for the admin group)
The implicit rule is performed on any "container" object (e.g.
bitstream - bundle - item - collection - subcommunity - ........ -
community - system) until a permission is found or denied.
The COLLECTION_ADMIN action is now replaced by ADMIN action on the collection.
For backwards compatibility, when new content (subcommunity or
collection) is created in a community, by a user with only ADD
permission, the Community.createSubCommunity() and
Community.createCollection() methods automatically create the admin
group for this new content and insert the current user in it.
WRITE permission on a community or collection now does not allow the
user to edit the related groups but only to set the metadata. This is
more refined than before, because if needed, the system admin can
authorize the user to edit the group by creating a specific policy
(ADD/WRITE or ADMIN permission) - webUI authorize system needs to be extended.
We have tested the patch for creation of new community, collection,
submission, workflow and any other situation that we have thought of,
but if anyone discovers any bugs please send me an email and I will
be happy of working on it for allowing the inclusion of the patch in
the DSpace core.
Best regards,
Andrea
More information about the Dspace-general
mailing list