Observations on User/Roles in a fresh DSP installation


#1

Hi there,

I’m not sure, what kind of problem this is (maybe the one before the computer?):

1. AngularJS on a ‘basic’ user does not save:

  • I created a role ‘user’.

  • set to access ‘AngularJS todos’ (and set it as default)

  • when I login with the user’s credentials, I am presented with the AngularJS Todos app

  • I can enter anything, but it doesn’t save. (Button just does nothing)

  • Error is:
    [2014-07-18 01:46:27] app.INFO: Platform local user auth (via password): user@example.com [] []
    [2014-07-18 01:46:27] app.DEBUG: Platform state validation complete. [] []
    [2014-07-18 01:46:27] app.ERROR: REST Exception #403 > GET access to component ‘todo’ of service ‘db’ is not allowed by this user’s role. {“host”:“localhost:8080”,“request_uri”:"/rest/db/todo/?app_name=todoangular&fields=",“source_ip”:"::1",“sapi_name”:“apache2handler”} []
    [2014-07-18 01:46:35] app.ERROR: REST Exception #403 > POST access to component ‘todo’ of service ‘db’ is not allowed by this user’s role. {“host”:“localhost:8080”,“request_uri”:"/rest/db/todo/?app_name=todoangular&fields=
    ",“source_ip”:"::1",“sapi_name”:“apache2handler”} []

  • So I must add the user to the Database service in order to let the user access the ‘todos’.

  • What’s the reason for this? I’d expect the rights for a user are set within the user’s role for an application. As it is, I must assign a service separately…

2. Does not login

  • After the above, I also added the user’s role to jQuery todos
  • As soon as I choose to enter anything into jQuery todos, a modal appears and asks me to login, but doesn’t accept the login and brings the modal again, and again, and again…
  • I can login, after I created a service for the user’s role.

3. What’s the difference between assigning an app to a role in ‘Apps’ and assigning am app to a role in ‘Roles’?

  • I assigned a role to an App in ‘Roles’, but it doesn’t appear in ‘Apps’
  • Same thing other way round…

4. When I choose to logout, I am presented by a warning:
'Are you sure you want to sign out of the application?

Any unsaved changes will be lost!’

This is completely misleading IMO - especially, if there are no unsaved changes… But still then: A logout shouldn’t be accompanied by such a message.

thx for listening

andy


#2

Definitely appreciate the insight here, thanks man.

  • Mark

#3

Hi Andy, see my responses below…

Item 1:

So I must add the user to the Database service in order to let the user access the ‘todos’.

Yes, you need to grant each role access to both a set of apps and a set of services. For example, if you don’t specify CRUD permissions on the todo table, then any user could start operating on that table illegally.

What’s the reason for this? I’d expect the rights for a user are set within the user’s role for an application. As it is, I must assign a service separately…

Services and apps are decoupled. For example, you might have more than one application that uses the same SQL database and you need to partition role-level control by both apps and services (for example role 1 might have access to the same app as role 2, but not necessarily to the same underlying services for that app). For example, on a given app it’s common to grant different role-level access rights to tables in the same database as well as different role-level CRUD permissions on a given table.

Item 2:

Related to item 1 above…agree it would be good to improve error feedback in the messages

Item 3:

There’s no difference, it’s just a different way to make role <–> app assignments in the UI.

Cheers,
Ben