Setting permissions for self-registered users

mlapl1
2009-05-24
2013-05-28
  • mlapl1
    mlapl1
    2009-05-24

    Hello

    I have just installed refbase and it looks like just what I need for my work with an international association of scholars.

    I have looked for answers to the following questions but have not been able to find answers in the docs - sorry if I did not look in the right places.

    I want to enable users to self-register (I worked out how this happens - although I would prefer to have some kind of authentication such as email confirmation).

    I would like all users who self-register to:

    (a) be able to add records
    (b) be able to modify their own records (I suspect this is not possible)
    (c) be able to delete their own records (I suspect this is also not possible)

    and perhaps set some other parameters too. I can adjust each user manually but this would defeat the purpose of self-registration.

    I suspect that I can achieve what I want to do by creating user groups and somehow assigning a particular group as a default for all self-registering users. But I do not know how to do this.

    Any help would be REALLY appreciated.

    Thanks a lot
    Andrew

     
    • Hi Andrew,

      > I want to enable users to self-register (I worked out how this
      > happens

      Good. Basically, you just provide a link to 'user_details.php' on your website, and set variable '$addNewUsers' in file 'initialize/ini.inc.php' to "everyone".

      In the next version, with '$addNewUsers' being set to "everyone", a "Register" link will popup automatically underneath the login form.

      > I would like all users who self-register to:
      >
      > (a) be able to add records
      > (b) be able to modify their own records (I suspect this is not possible)
      > (c) be able to delete their own records (I suspect this is also not possible)

      Unless I'm misunderstanding you, this is the default behaviour. I.e., it should work out of the box as you describe. Let us know if this isn't the case for you.

      You can specify the default user permissions in variable '$defaultUserPermissions' in 'ini.inc.php'.

      W.r.t. deletions of records, see also:

      http://www.refbase.net/index.php/Deleting_records

      > and perhaps set some other parameters too. I can adjust each user
      > manually but this would defeat the purpose of self-registration.

      The 'ini.inc.php' file offers more global variables that define the initial state after first login. You might be interested to checkout all variables that start with "$default...", especially the user-specific ones:

      $defaultUserExportFormats
      $defaultUserCiteFormats
      $defaultUserStyles
      $defaultUserTypes
      $defaultUserOptions

      > I suspect that I can achieve what I want to do by creating user
      > groups and somehow assigning a particular group as a default for all
      > self-registering users. But I do not know how to do this.

      ATM, this is not possible. But, judging from the description of your above requirements, I think you should be able to get what you want using the available options.

      HTH, Matthias

       
      • mlapl1
        mlapl1
        2009-05-24

        Hi Matthias

        Thank  you for your quick response. Please see my comments below after the @@@ signs:

        Hi Andrew,

        > I want to enable users to self-register (I worked out how this
        > happens

        Good. Basically, you just provide a link to 'user_details.php' on your website, and set variable '$addNewUsers' in file 'initialize/ini.inc.php' to "everyone".

        In the next version, with '$addNewUsers' being set to "everyone", a "Register" link will popup automatically underneath the login form.
        @@@
        No problem

        > I would like all users who self-register to:

        > (a) be able to add records
        > (b) be able to modify their own records (I suspect this is not possible)
        > (c) be able to delete their own records (I suspect this is also not possible)

        Unless I'm misunderstanding you, this is the default behaviour. I.e., it should work out of the box as you describe. Let us know if this isn't the case for you.

        You can specify the default user permissions in variable '$defaultUserPermissions' in 'ini.inc.php'.
        @@@
        Unfortunately this is NOT happening on my current installation - maybe because I created the tables manually (I was having installation problems). I will look at the ini file in detail.

        What IS happening is that new users have permission to do ANYTHING.
        They can create records (no problem)
        They can edit records - including records which they do NOT own :-(
        They can delete records - including records which they do NOT own :-(

        As I said, I have not examined the ini file which contains a LOT of options (thank you).

        I like the system very much, I also like the simplicity of the tables and their good information. I will spend some time today examining all that is there
        THANK YOU
        Andrew

         
    • >> it should work out of the box as you describe
      > Unfortunately this is NOT happening on my current installation
      > - maybe because I created the tables manually

      How did you create the tables manually? Did you follow the process outlined at:

      http://manualinstall.refbase.net/

      For testing/comparison purposes, it might be a good idea to try to install refbase at a location where you've got MySQL root permissions, e.g. try installing refbase locally (using XAMPP or similar packages).

      http://www.apachefriends.org/en/xampp.html

      > What IS happening is that new users have permission to do ANYTHING.

      But do I understand you correctly that you can successfully disable permissions for certain users in the refbase admin interface?

      > They can create records (no problem)

      Yes, that's enabled by default for all users.

      > They can edit records - including records which they do NOT own :-(

      This is intended, since this is just how refbase works. See

      http://www.refbase.net/index.php/Sharing_records#Can_everybody_view_.26_edit_my_own_records.3F
      http://www.refbase.net/index.php/Editing_records

      > They can delete records - including records which they do NOT own :-(

      This shouldn't be the case. If a non-admin user is NOT listed (as the sole user) in the 'location' field or a particular record, the user should not be allowed to delete that particular record. In other words: in order to be able to delete a record, the user's name must be listed in the 'location' field of that record, and no other users must be listed in the record's 'location' field.

      How did you import your data? Did you import them via the refbase interface or by some other means? In the latter case (e.g. if you loaded records directly into the MySQL database), the 'location' field might not have been populated correctly.

      If possible, please compare your findings with a standard refbase installation (where by "standard" I mean one that has been successfully installed using the 'install.php' script or via the steps outlined at http://manualinstall.refbase.net/ ).

      Thanks, Matthias

       
      • mlapl1
        mlapl1
        2009-05-24

        How did you create the tables manually? Did you follow the process outlined at:

        http://manualinstall.refbase.net/
        @@@
        Yes I did - it all installed correctly I am quite certain. I had to install manually as the install script claimed it could not find the mysql path - anyway that is not a problem or an issue. I have my own dedicated linux server online and have all the possible permissions. It was just easier to do a manual install than try to resolve the installer problem.

        > What IS happening is that new users have permission to do ANYTHING.

        But do I understand you correctly that you can successfully disable permissions for certain users in the refbase admin interface?
        @@@
        Yes the interface allows me to disable/enable

        > They can create records (no problem)

        Yes, that's enabled by default for all users.
        @@@
        ok.

        > They can edit records - including records which they do NOT own :-(

        This is intended, since this is just how refbase works. See

        http://www.refbase.net/index.php/Sharing_records#Can_everybody_view_.26_edit_my_own_records.3F
        http://www.refbase.net/index.php/Editing_records
        @@@
        OK I will follow up

        > They can delete records - including records which they do NOT own :-( 

        This shouldn't be the case. If a non-admin user is NOT listed (as the sole user) in the 'location' field or a particular record, the user should not be allowed to delete that particular record. In other words: in order to be able to delete a record, the user's name must be listed in the 'location' field of that record, and no other users must be listed in the record's 'location' field.
        @@@
        Sorry! That's my misreading of what happened. They CANNOT delete someone else's records - only their own. My apologies. It was very late when I went through the installation and I must have confused two different tests I was performing. I do apologize again.

        To be honest, I think that everything is working pretty well except that I would like users not to be able to edit someone else's records but, as I said above, I will follow up the issue of people editing one another's materials. I have a very specific application where I want colleagues to be able to upload their own bibliographic data and publish it so it can be available to the academic community. I want them to be able to make changes but I do not want others to change their stuff.

        Thank you once again - you have been a great help - I think I will spend some time checking things out but I will probably be able to fix things close enough to what I want by editing the ini file.

        Andrew