-
Notifications
You must be signed in to change notification settings - Fork 11
MOM CA: Authentication
The rights of a user are defined by the xrx:role, xrx:community elements in the user collections or by the role of the user in the database user administration.
The authentication control is addressed by xrx:auth in the widgets, services and modules.
The role of a user is defined in the element xrx:role in the $user-id.role.xml document in the user's collection. The element contains the user roles.
Frontend-GUI access to archivist assignment for user-administrators is through
- defining a user as archivist in MyArchive > Manage Roles -> Archivists
- assigning archivist to archive: select the appropriate archives, then clicking on "Manage Archivists".
A "community" contains all users with special rights to a collection or archive. The community-membership of a user is defined by the $user-id.community.xml in the user's collection. It refers to the atom:id of the archive.
The community-module handles the modification of community membership.
Details:
The user-administrators are responsible for adding people to a community. Currently they are the ONLY ones, who can do that.
To add users to a community, the community:add function has to be called. This is only ever done internally inside the community:refresh function. This function is only ever called once inside the mom/app/archive/service/manage-archivists.service.xml
This service in turn, can currently only be accessed by user-administrators through the widget mom/app/archive/widget/manage-archivists.widget.xml
In the widget, a singular archive context is established through the archiveid (which is extracted from the url). The user-administrator can add new so-called "archivists" to the current contextual archive. The user-administrator is presented with a list of all users and also with a list of the archivists in place in the context of this archive already. (This is similar to the interface when choosing metadata-managers as a user-administrator for example). When clicking on the "Save"-button, all previous minus the removed archivists and plus the newly chosen archivists are submitted to the manage-archivists.service.xml. Also the current contextual archive-id expanded and transformed to an atom-id is submitted.
The service on the other hand does nothing else than taking the submitted archivists and archive-atomid and calling the function
community:refresh($archivists, $archive-atomid)
That is all it does. $archivists contains a sequence of emails by the way. These are used to identify the users.
Inside the community:refresh function, all users, that are part of the current archive-id community are removed from the community (with community:remove). Then all the archivists, that were submitted by the user-administrator through the service just a moment ago are added to the community as members (with community:add).
The actual community membership is modelled in the following way: Each user has a file inside his user collection, in which the communities he/she is belonging to are listed. They are inside the <communities> element. Like so:
<xrx:communities xmlns:xrx="http://www.monasterium.net/NS/xrx">
<xrx:community>tag:www.monasterium.net,2011:/archive/DE-HStAMa</xrx:community>
<xrx:community/>
</xrx:communities>
Currently there are only about eight users, which belong to a community, and another six (if I counted right), who once belonged to a community, but no longer do. This can be deduced from communities elements, which do not contain a community like so:
<xrx:communities xmlns:xrx="http://www.monasterium.net/NS/xrx">
<xrx:community/>
</xrx:communities>
By the way, the underlying functionality starting with community:refresh is all happening inside the "auth" app. It only consists of a few XQuery-modules, which themselves depend on others again... https://github.com/icaruseu/mom-ca/blob/master/my/XRX/src/core/app/auth/auth.app.xml#L32
For the community-things the most important (contextually more or less) top-level XQuery-modules are of course community.xqm and member.xqm
The actual access to managing the respective community-members is done through the "archive" app as mentioned above and only accessible by user-administrators.