[oss-changes] [ opensubsystems-Feature Requests-1423505 ] Allow new users to create domains and use
Brought to you by:
bastafidli
Menu
▾
▴
[oss-changes] [ opensubsystems-Feature Requests-1423505 ] Allow new users to create domains and user accounts
|
From: SourceForge.net <no...@so...> - 2008-11-11 06:12:31
|
Feature Requests item #1423505, was opened at 2006-02-03 10:38 Message generated for change (Settings changed) made by bastafidli You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=659216&aid=1423505&group_id=111437 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Security (Domain, User, Role, Session) Group: Short term >Status: Open Resolution: None Priority: 7 Private: No Submitted By: Miro Halas (bastafidli) Assigned to: Julian Legeny (jlegeny) Summary: Allow new users to create domains and user accounts Initial Comment: Currently when the system is started for the first time a default domain is created and a default user account in that domain is created. Only this user can then create additional users and only in his own domain. There is no other way how to create additional domains and therefore there is also no way how to create users in those domains. The purpose of this task is to create a way how additional domains can be created and how user can create their own accounts in those domains. 1. Self domain creation We need a way how user can create brand new domain. Since user account exists in the domain, only a new user (user who doesn't have account in the system yet or who will create new account can create domain). This seems to be a good fit for the initial login page. The login dialog has currently 2 tabs (Login and Change Password). Lets create a new tab on the Login page, such as "Create account". The Create account tab will have also following fields from the domain dialog (I don't thing we currently have one) - Domain name - Domain description The Create account tab will have following fields from the user dialog: - Login name - Password - First name - Last name - address - Phone - Email - Fax Am I forgetting any attributes to display? The Create account tab will NOT have the following fields - Login enabled - this will be automatically true - Administrator - this will be automatically true - Internal user - this will be automatically true - Roles - no roles will be initially assigned, since user is administrator and therefore no roles are needed Am I forgetting any attributes to do NOT display? If we can, we should separate the domain and the user section of the dialog, maybe with some divider or div or something The tab will have buttons Create and Reset (if I remember this is consistent with Login and Reset on the login page). Once user enters all the information and clicks Create we will verify that domain with such name doesn't exist in the system and create it. Then we will create a specified user in this domain. Once all is created we will automatically log in user to the system and show the screen, which we normally show after login. 2. Managing domains Once user is logged in, the user is logged in to a particular domain. We never show, which domain the user is logged in. There is also no way to change the domain information or see other domains. We need to enable this functionality in a safe and secure manner. Do we currently allow to setup access rights for domains in the role dialog? I think so but if not, we should since this will allow us to control who can view, create or edit domains. The problem is that not everybody can see other domains. If domain represents a company using the system, then we do not want one company to see other companies. On the other hand there might be also users and domains, which be responsible for managing other domains. These users may need to see all domains. Currently domain contains only 2 attributes - Name - Description New domain attributes --------------------- Modify the domain to include following additional attributes (we need to decide how the dialog will look like): General info (or whatever it is called now) tab - Enabled (is this the same name we use for Roles?) - Is the domain enabled or disabled. If domain is disabled, no user can login to the domain - Management - Boolean - true or false, default false, the first domain created in the schema will have this attribute set to true. This attribute is visible only when it is set to true, otherwise it is not visible on the dialog. This attribute will specify domains, which can manage other domains (therefore being management domains) - we need better name for this, I do not like the name management Self registration (is this even a word, any idea about better name?) tab - Allow self registration - Boolean - true or false, default true. This attribute specifies if users can self register (create user accounts for themselves) in this domain. If false, user cannot create user account for himself in the domain and somebody else (already existing user with the privileges) has to create the account for him. If true, user can self register himself in this domain. Following new attributes will be enabled only if Self registration is true, otherwise they are disabled. - Successful answers required - positive nonzero number - how many questions have to users answer correctly before they are allowed to self register in this domain - Questions - list - this will be list of questions, which user has to successfully answer before he can join the domain Initially the questions can just look like edit box for question and edit box for correct answer, later on we may want to extend it by specifying answer data type (text, number, decimal number, date, range, list, etc.) and allow to specify multiple valid answers. Default user tab These attributes will be enabled even if self registration is disabled. These attributes will be used as default values for users who create accounts for themselves (please use the same spelling of names of the attributes and the same data type as on the User dialog). They will be also used to initialize the Create User dialog as well as for self registered users (see later). - Login enabled - will the user have by default enabled login or will they have to wait until somebody enables their login - Superuser - Boolean -- will the user be by default superuser or not - Internaluser - Boolean will the user be by default considered internal user or not - Roles - list of domain ids - this is the standard double list allowing to assign roles to the domain. The assigned roles will be automatically assigned to self registered users. Am I missing some attributes which would make sense to use as default values for users. Maybe address/phone information since employees of the company may have the same address? When saving domain we need to detect if user is changing the Management flag from true to false. We need to stop user if there is no other domain in the system, which has the management flag set (we cannot allow that there won't be any management domain in the system). When saving domain we need to detect if user is changing the Enabled flag from true to false and this is a Management domain (the changed value of Management is true). We need to stop user if there is no other Enabled Management domain . When and how to display the domain dialogs and list --------------------------------------------------- There are two way how the domains can be accessed. User, which exists in management domains (Management flag for the domain where the user exists is set to true), can see any domains, which are allowed be his access rights. User, which exist in a non management domain cannot see any other domains in the system other then his own (if his access rights allows it - we may need to do some extra coding to prevent non management users to see any other domains). For user, which exists in Management domain we will provide new Domains tab, next to the Sessions, Users and Roles tabs, which will allow him to view, edit and delete other domains. This will follow the standard procedure with the list of items on top and preview dialog on the bottom. The list wil have the standard New, Delete, Enable/Disable, Print and Help buttons. We should display the Management flag in the list and maybe use different icons for management and non management domains. The user, which exists in non management domain, will not even see the Domains tab, since the tab has no meaning for him. We need to provide a way how to show only the domain dialog for his own domain, which he can edit (if he has the access right). The best solution is if we can show the domain name next to or above the user name on top of the screen, such as domain name : user name [Logout button] or possibly domain name [ Logout button ] user name [ ] The Domain name would be a link, which if the user clicks on, it would display the Domain dialog for the current domain. This would work for both Management and Non management domains. When user clicks on it, the upper tab would switch to the Domains tab. The dialog would be displayed in the preview pane of the domain tab. (We could probably do the same for user name being link to the current user dialog and switching to user tab). For Management domains the upper tab would contain the list of domains. For Non management domains since we do not want to display the list of domains, the upper tab would not contain the list of domains (would be empty, the iframe and buttons may not even be generated) and the Edit Domain dialog would be maximized (hiding therefore the upper tab). Once the User for Non management domain clicks the Cancel or X (Close) button in the Edit Domain dialog, the screen would switch back to the previous module (User, Roles, Sessions) and the correct previous preview dialog. If user doesn't have right to see the domain we need to display standard error message but still allow to switch back to the previous view. 3. Modify login to take into account new domain attributes We have added flag enabled/disabled to the domain. Login procedure has to take this into account and check for this attribute. If domain is disabled, then it cannot allow any user in that domain to login and needs to display appropriate error message (different from other messages). We need to modify all locations in the code from where login is being called. ===============================================================\ 4. Modify Self domain creation (step 1) to make the domain enabled flag configurable Since in step 2 we have implemented enabling and disabling domains we want to have an option to decide if the self created domains are by default enabled or disabled. The fist domain created by the default database schema is created as enabled, but we may want for the self registered domains to be created as disabled until some user (from management domain will enable them). Make this a property file attribute and take the value of this attribute in to account when creating self registered domains. When creating domains from the Create domain dialog, this attribute has no effect. If the domain was created as disabled we need to display message about it on the Login (active) tab, such as the domain was created successfully, but needs to be first enabled by system administrator. 5. Modify Create User dialog to take into account the Default user settings from domain This will be most likely implemented in UserController.get(id) when id is DataObject.NEW_ID since under these conditions we populate the default data object with the setting specified in the domain. 6. Joining existing domains If domain administrator enabled self registration for the domain, we need to allow users to create their own accounts in the domain. To do this we will extend the Create Account tab of the Login page created in the step 1. Add two additional controls to the top of the Create account tab - Create new domain - radio button - Join existing domain - radio button If Create new domain is selected, the Create Account tab will behave exactly as it behaved in step 1. If Join existing domain is selected, the dialog will behave completely differently: - All controls available in the "Create new domain" mode will be hidden. - New edit control "Domain name" with help/description "Enter name of the domain you want to join" will be displayed. - Search and Reset buttons will be displayed on the bottom of the dialog. Once the Search button is clicked, the dialog will submit and search the list of existing domains, which allow self registration. For each found domains it retrieves the set of questions the user needs to answer and how many questions it needs to answer correctly. If the search identified multiple domains, the questions will be loaded for all the domains. Once the page refreshes, the Create account tab will be active - On top of the page will be Create new domain and Join existing domain radio buttons with Join existing domain radio button selected - Domain name read only field will show the text user entered - Below will be combo box with the questions retrieved for all domains which allow self registration matching previous search. - On the bottom will be buttons: Verify answer(s), New search and Reset - Reset button will clear all the answers - New search will reset/reload the page to it's initial stage with Domain name edit box and available and Search/Reset buttons on the bottom. - The Verify answer(s) will be initially disabled. User selects question. Answer field matching the type of the question/answer will be displayed below it. If the domain, for which the questions were retrieved, requires more than 1 correct answer, new button Next Question will appear next to it. It will be disabled until user selects answer for the current question. User will enter answer. If the domain for which the question is was retrieved requires only 1 correct answer the Verify answer(s) button will be enabled. If it requires more than 1 correct answer, the Next question button will be enabled. Once user clicks it, another combo box will appear, this time containing only the questions for the domain for which the previous question was selected (remember, that the first combo box may contain questions from multiple domains). Once users answers as many questions as many correct answers are requires for a given domain, the Verify answers(s) button will be enabled. Maybe we can eliminate the Next question button and automatically generate as many combos as many correct answers are required by the domain for which the first question was selected. We would display somewhere text (after selecting the first question, that to join specified domain, X correct answers are required). Once user clicks the Verify answer(s) button, the dialog will submit and the server will verify the answers. If some of the answers were incorrect and error message will appear (such as questions 2 and 4 were incorrectly answered). If all the answers were correct, Once the page refreshes, the Create account tab will be active. - On top of the page will be Create new domain and Join existing domain radio buttons with Join existing domain radio button selected - Domain name read only field will show the actual name of the domain (not the text user entered) - Below will be the standard user related Create account fields (if applicable pre populated with the domain default values) - Below will be buttons Create and Reset - Reset buttons will reset to its initial values all editable fields - Create button will attempt to create account in the specified domain. The dialog will have to contain hidden values identifying the questions and the answers since once the Create button is clicked, and the account should be created we will have to verify once again that all the answers are correct for the domain in which the account is being created. The account is created using the default values set on the Edit domain dialog (some of these were not visible on the screen). If the domain is enabled and the default value for login enabled is true, then the user should be automatically logged in to the system and the default screen should be displayed. If the domain is disabled or the login enabled is set to false, user account should be still enabled, but once the screen refreshed the Login tab should be active and proper message should be displayed. ---------------------------------------------------------------------- Comment By: SourceForge Robot (sf-robot) Date: 2008-11-01 21:20 Message: This Tracker item was closed automatically by the system. It was previously set to a Pending status, and the original submitter did not respond within 999 days (the time period specified by the administrator of this Tracker). ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=659216&aid=1423505&group_id=111437 |
