Development #6994
Create RBAC models: Role, User-Role relation, Role-Role hierarchy, Permissions, OrganizationalUnit
100%
Description
All objects should pertain to an organization unit (OU).
User can be linked to many roles. Roles can be linked to many users. Roles can be linked to roles.
Roles can be linked to many permissions.
The permission model must contain a generic foreign key (the ressource) and a string (the operation) and a scope (generic foreign key to organizations for example). Permissions without scope apply to all ressources targeted, with a scope only to ressources of this scope. Ex.:
Permission(ressource=ContentType(User), operation="admin", scope=OU) is the permission to administer users in the people OU.
Role hierarchy must be stored denormalized to speed queries. On each creation/deletion of a link the full transitive closure of the relation must be maintained. Role have flags:- mirror : generic foreign key to the object it was made for, if present it means the role was automatically created and must not be deleted
- organization : the organization owning this role
Révisions associées
utils: add get_fk_model to retrieve related model
get_fk_model() is an helper method to retrieve the related model of a
possible foreign key field of a model, it supports pre and post 1.8
model's _meta internal API.
refs #6994
a2_rbac: integrate django_rbac in authentic2
This commit add local implementations for swappable models of the
django_rbac application. The role model gets extraneous fields to map
some roles one-to-one to permssions (admin_scope generic key field) and
to link roles to a service to make service's roles.
The admin scope allow building automatic management roles, like the
general management role for an organizational unit which inherits all
content type management roles for this ou.
tox.ini: run tests for RBAC and CAS idp
refs #6994
Historique
Mis à jour par Benjamin Dauvergne il y a environ 9 ans
- Assigné à mis à Benjamin Dauvergne
- Version cible mis à 2.2.0
Mis à jour par Frédéric Péters il y a presque 9 ans
- Bloqué par Development #7163: Rendre le menu déroulant Publik contextuel + Wording ajouté
Mis à jour par Frédéric Péters il y a presque 9 ans
- Bloqué par Development #7163: Rendre le menu déroulant Publik contextuel + Wording supprimé
Mis à jour par Benjamin Dauvergne il y a presque 9 ans
- Statut changé de Nouveau à Résolu (à déployer)
- % réalisé changé de 0 à 100
Appliqué par commit authentic2|c9915b9b6d0e34fecfce78b2670323d403534613.
Mis à jour par Benjamin Dauvergne il y a environ 8 ans
- Statut changé de Résolu (à déployer) à Solution déployée
Mis à jour par Benjamin Dauvergne il y a plus de 6 ans
- Statut changé de Solution déployée à Fermé
django_rbac: add an RBAC engine (#6994)
- swappable role model supporting role graph with cycles
- swappable role parenting model
- swappable permission model
- swappable organizational unit model allowing to have scopes on permissions and objects
- authorization backend based on role membership
- helpers to filter querysets by the permissions users have on them