I need to create a privilege to assign to a user named "gatekeeper".
MRBS has the privileges: none, user and administration.
I want to create a new privilege called "gatekeeper" with permissions to sections; that is to say that the user with "gatekeeper" privilege can access, create, edit, delete: rooms and areas. That can create reservation reports.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
So they can do everything except create and edit users? Do you want them to be able to edit and delete other people's bookings? And what authentication type are you using?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This will allow four levels (0, 1, 2 and 3) of user. You'll need to manually change the level of one of your admins from 2 to 3 in the user table so that they are able to create other users.
😄
1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I work in an Italian school.
I have about 1600 students, 250 teachers and 80 various staff.
We use Google's Ldap.
I'm in the testing phase.
Sorry for the long message.
Teachers change often. when the new teacher arrives, it is added to the LDAP and assigned to the Group = "Teachers". This group is used as a mailing list for all general communications.
A) I wish all but a few teachers could only see.
(done by creating a role that can only see and assigned to the Teachers group).
B) Some of the miscellaneous staff and some teachers, can only insert and modify everyone's commitments but not insert or modify, Areas, Rooms, Users and Groups.
This staff is placed in a group = "Activities".
Here I find a problem, the teacher who is in the group = "Teachers" and also in the group = "Activities" has only the vision.
I wouldn't want to create a group just to deny the modification to the Teachers, but if there is no other way I will.
C) Group administrators can do everything.
This is already possible.
Thanks for your patience.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Here I find a problem, the teacher who is in the group = "Teachers" and also in the group = "Activities" has only the vision.
I wouldn't want to create a group just to deny the modification to the Teachers, but if there is no other way I will.
I think that what's needed is the concept of configurable default permissions, either in the config file or through a web page. At the moment the default is that ordinary users have 'write' permissions. But if the default were that ordinary users have 'read' permissions only then you could achieve what you want to do. Until that configuration option appears then you can modify the code by changing line 98 of lib/MRBS/Location.php from
$result->permission = $result::WRITE;
to
$result->permission = $result::READ;
Then you can grant write permission to the role used by the Activities group and you don't need to have a role for the Teachers because they will have the default permissions.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Good morning.
Thanks for the help, it worked fine.
I have one more request, the system is very slow in retrieving information from LDAP.
Not only at the time of login but also every time you operate.
Also it seems to me that there is a problem when setting in config.inc.php the variable $ldap_base_dn.
I do this to limit the search to only users who can access the system.
If the variable is set
$ldap_base_dn = array ('ou=Teachers,ou=Users,dc=myschool,dc=it', 'ou=Staff,ou=Administrative, ou=Users,dc=myschool,dc=it');
the system finds users in Teachers and in Staff and authenticates them.
If I set the variable
$ldap_base_dn = array ('ou=Teachers,ou=Users,dc=myschool,dc=it', 'ou=Administrative, ou=Users,dc=myschool,dc=it');
the system finds users in Teachers and Administratives but does not authenticate Staff users.
Thank you for your patience
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
// The DN of the LDAP group that MRBS admins must be in. If this is defined
$ldap_admin_group_dn = 'cn=agenda,ou=Groups,dc=myschool,dc=it';
$ldap_group_member_attrib = 'memberof';
$ldap_unbind_between_attempts = false;
$ldap_suppress_invalid_credentials = false;
$ldap_debug = false;
$ldap_debug_attributes = false;
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
See https://sourceforge.net/p/mrbs/patches/119/. What exactly do you want to do? Do you want all users to be able to create rooms, or just some?
I need to create a privilege to assign to a user named "gatekeeper".
MRBS has the privileges: none, user and administration.
I want to create a new privilege called "gatekeeper" with permissions to sections; that is to say that the user with "gatekeeper" privilege can access, create, edit, delete: rooms and areas. That can create reservation reports.
So they can do everything except create and edit users? Do you want them to be able to edit and delete other people's bookings? And what authentication type are you using?
exactly! they cannot create or edit users.
Of course they can edit and delete other people's reservations.
I am using authentication by db
I think you should be able to do this by setting in your config file
and then editing the function
is_admin()in mrbs_auth.inc and changing the lineto
This will allow four levels (0, 1, 2 and 3) of user. You'll need to manually change the level of one of your admins from 2 to 3 in the user table so that they are able to create other users.
Last edit: William 2023-02-09
Hello, is it possible to obtain a similar result but using ldap ?
What do you want to do in LDAP, as there is no ability to edit users anyway when using LDAP?
Good morning,
I use the roles branch.
I used google as a translator.
I work in an Italian school.
I have about 1600 students, 250 teachers and 80 various staff.
We use Google's Ldap.
I'm in the testing phase.
Sorry for the long message.
Teachers change often. when the new teacher arrives, it is added to the LDAP and assigned to the Group = "Teachers". This group is used as a mailing list for all general communications.
A) I wish all but a few teachers could only see.
(done by creating a role that can only see and assigned to the Teachers group).
B) Some of the miscellaneous staff and some teachers, can only insert and modify everyone's commitments but not insert or modify, Areas, Rooms, Users and Groups.
This staff is placed in a group = "Activities".
Here I find a problem, the teacher who is in the group = "Teachers" and also in the group = "Activities" has only the vision.
I wouldn't want to create a group just to deny the modification to the Teachers, but if there is no other way I will.
C) Group administrators can do everything.
This is already possible.
Thanks for your patience.
I think that what's needed is the concept of configurable default permissions, either in the config file or through a web page. At the moment the default is that ordinary users have 'write' permissions. But if the default were that ordinary users have 'read' permissions only then you could achieve what you want to do. Until that configuration option appears then you can modify the code by changing line 98 of lib/MRBS/Location.php from
to
Then you can grant write permission to the role used by the Activities group and you don't need to have a role for the Teachers because they will have the default permissions.
Good morning.
Thanks for the help, it worked fine.
I have one more request, the system is very slow in retrieving information from LDAP.
Not only at the time of login but also every time you operate.
Also it seems to me that there is a problem when setting in config.inc.php the variable $ldap_base_dn.
I do this to limit the search to only users who can access the system.
If the variable is set
$ldap_base_dn = array ('ou=Teachers,ou=Users,dc=myschool,dc=it', 'ou=Staff,ou=Administrative, ou=Users,dc=myschool,dc=it');
the system finds users in Teachers and in Staff and authenticates them.
If I set the variable
$ldap_base_dn = array ('ou=Teachers,ou=Users,dc=myschool,dc=it', 'ou=Administrative, ou=Users,dc=myschool,dc=it');
the system finds users in Teachers and Administratives but does not authenticate Staff users.
Thank you for your patience
@jberanek John - any ideas?
Could you post your config settings for LDAP here please, omitting any confidential data?
// 'auth_ldap' configuration settings
// I used stunnel
$ldap_host = "localhost";
$ldap_port = 1636;
$ldap_v3 = true;
$ldap_tls = false;
$ldap_base_dn = array('ou=Docenti,ou=Users,dc=myschool,dc=it', 'ou=GESTORI,ou=Users,dc=myschool,dc=it', 'ou=COLLABORATORI,ou=AMMINISTRATIVO,ou=Users,dc=myschool,dc=it');
$ldap_user_attrib = "uid";
//////////////////////////////////////
$ldap_dn_search_dn = "Myuser";
$ldap_dn_search_password = "Mypassword";
////////////////////////////////////////
$ldap_deref = LDAP_DEREF_SEARCHING;
$ldap_get_user_email = true;
$ldap_email_attrib = 'mail';
$ldap_name_attrib = 'cn';
// The DN of the LDAP group that MRBS admins must be in. If this is defined
$ldap_admin_group_dn = 'cn=agenda,ou=Groups,dc=myschool,dc=it';
$ldap_group_member_attrib = 'memberof';
$ldap_unbind_between_attempts = false;
$ldap_suppress_invalid_credentials = false;
$ldap_debug = false;
$ldap_debug_attributes = false;