Menu

#61 Virtual groups / dynamic membership for CQPweb

TODO-3.5
open
Andrew Hardie
CQPweb (45)
5
2019-08-09
2019-08-09
Andrew Hardie
No

Users are currently automatically assigned to groups according to their email address matching/not matching a given regular expression.

HOWEVER,

(a) if a user's email changes (which is not yet possible, but might be in future) the grants dependent on their old email address will not be revoked - and these grants are not identifiable as having been auto-assigned on the basis of a now-invalid regex-match;

(b) the result of this approach on a big server is lists of group memberships thousands and thousands of users long (making admin UI like "manage group memberships" and "Corpus admin > Manage access" next to useless).

SOLUTION: allow "virtual" groups. Virtual groups have no members(BUT SEE NOTE BELOW!), but they do have a regex. A user is judged to belong to a virtual group if their email address AT THAT MOMENT matches the group's regex AT THAT MOMENT. No permanent membership link is ever created. The user just dynamically accumulates the grants of all the vgroups they match the criterion for on each individual CQPweb access. (This should not be computationally intense, and if it turns out to be, results can be cached for, say, 24 hours)

NOTE:

Actually, another approach -- perhaps easier -- would be to allow users to be assigned manually to the group by the admin but ALSO let the group's autojoin regex be configurable to operate dynamically rather than statically. Currently the DB definition for user_groups has:

        `autojoin_regex`             $type_qdata_text,

If we were to add

        `autojoin_dynamic`             $type_bool_falsy,

then when a member joins, they will only be ADDED to a group if they match its regex and !$group->autojoin_dynamic . Otherwise, the regex will be checked every time (either on every access, or - let's say - on login with results cached for 24 hours.)

If the former approach is "virtual groups" then the latrter would be "dynamic memberships" (as opposed to the existing "static memberships").

STEPS:

  1. Add database field (default false)
  2. Add check mechanism to the compile-user-permissions system.
  3. Amend UI for groups: add "dynamic" as an extras updatable col in "manage groups", make it part of the create group form in "manage group memebrship" (which also, by the way, should be at the top of that page).
  4. Might then be possible to remove the "apply one-off custom regex" tool as superfluous... as its effect would be better achieved by creating an empty dynamic-membership grtoup with that regex.
  5. Document in the manual (sigh!)

Discussion

Log in to post a comment.