[MGNLDEMO-30] Create users and roles for demonstration purposes Created: 18/May/15  Updated: 02/Jul/15  Resolved: 02/Jul/15

Status: Closed
Project: Magnolia Demo Projects
Component/s: magnolia-travels
Affects Version/s: 0.5
Fix Version/s: 0.5

Type: Task Priority: Critical
Reporter: Christopher Zimmermann Assignee: Federico Grilli
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to MAGNOLIA-5975 Versioning does not work if a workspa... Closed
relates to MGNLDEMO-42 German translation for "template labels" Closed
causality
is causing MGNLDEMO-73 Move travel-related roles/groups to t... Closed
is causing MGNLDEMO-68 Share demo users between STK and trav... Closed
relation
is related to MGNLDEMO-361 Eric can edit & publish while Peter i... Closed
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Release notes required:
Yes
Date of First Response:

 Description   

Basic proposal
--------------------
We need to create two user typologies: editor and publisher

  • we create three totally independent roles for the single purpose of the travel-demo and thus also prefix them with "travel-demo-"
    • travel-demo-editor, travel-demo-tour-editor (can only edit tours and tour categories) and travel-demo-publisher Note: to workaround MGNLUI-3200 the latter role has R/W permissions on website, otherwise s/he can't publish
  • an additional travel-demo-base role is created which can read access tours, dam, categorisation workspaces (this is the role given to anonymous user too so that he can see tours)
  • three groups will be created travel-demo-editors, travel-demo-tour-editors and travel-demo-publishers with the needed roles to carry out their work
  • if workflow is installed travel-demo-publishers will be added to /modules/workflow-jbpm/tasks/publish/groups so to be able to see workflow tasks
    So eventually, we'll end up with
    eric (editor) = travel-demo-editors / password = eric
    eric-de (German editor) = travel-demo-editors (like eric but with UI language settings in German) / password = eric-de
    peter (publisher) = travel-demo-publishers / password = peter
    tina (can only operate on tours app and categories) = travel-demo-tour-editors / password = tina

All roles, groups and users created by the travel-demo are bootstrapped as samples

Findings during implementation
------------------------------------------
Some apps grant themselves accessibility to certain actions and roles (e.g. demo-project- from STK or editor and publisher available only with workflow) . E.g. by issuing the following query on the latest 5.4-SNAPSHOT EE-bundle

select * from [nt:base] as t where contains(t., 'demo-project-%') or contains(t., 'editor') or contains(t.*, 'publisher')

one gets the following relevant results

/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles
/modules/dam-app/apps/assets/permissions/roles
/modules/categorization/apps/categories/permissions/roles
/modules/tours/apps/tourCategories/permissions/roles

For the sake of clarity and consistency those should be removed and let projects define roles which can access needed apps and actions. By the same token, I'd add permissions to all app groups under /modules/ui-admincentral/config/appLauncherLayout/groups and grant them by default to superuser only. It will be a project concern to add its roles by giving permissions to the appropriate roles (and we could certainly provide generic Task s to make it easier). In our case, it will be magnolia-travel-demo to create roles and decide which apps they can access.



 Comments   
Comment by Christopher Zimmermann [ 01/Jun/15 ]

I dont like that projects would always have to add permissions for every app, if they dont want to let people use the superuser role. But I like that it is clean and seems like a good foundation to build upon.

Comment by Christopher Zimmermann [ 25/Jun/15 ]

Review:
Eric-de password should be eric-de

Change descriptions to be consistant and shorter.
Tina (Tour editor, created by travel-demo)
Eric (Editor, created by travel-demo)
Peter (Publisher, created by travel-demo)
Eric-DE (German editor, created by travel demo)

Status of items in Security app? Can they all be green?

travel-demo-editor has everything in travel-demo-base?
Then why do the groups have both?

Comment by Federico Grilli [ 25/Jun/15 ]

For the release notes/docu:
the basic proposal in the issue description corresponds to what has been actually implemented

Comment by Philip Mundt [ 29/Jun/15 ]

There seems to be an issue with anonymous accessing the tours workspace (as superuser one can see them):

2015-06-29 09:21:43,802 ERROR nfo.magnolia.demo.travel.tours.model.CarouselModel: Could not retrieve linked tour with identifier [730c8850-d638-4e91-b3fb-4041a0c59ffe].
javax.jcr.ItemNotFoundException: 730c8850-d638-4e91-b3fb-4041a0c59ffe
	at org.apache.jackrabbit.core.SessionImpl.getNodeById(SessionImpl.java:538)
	at org.apache.jackrabbit.core.SessionImpl.getNodeByIdentifier(SessionImpl.java:1102)
	at info.magnolia.jcr.wrapper.DelegateSessionWrapper.getNodeByIdentifier(DelegateSessionWrapper.java:182)
	at info.magnolia.jcr.wrapper.DelegateSessionWrapper.getNodeByIdentifier(DelegateSessionWrapper.java:182)
	at info.magnolia.jcr.decoration.ContentDecoratorSessionWrapper.getNodeByIdentifier(ContentDecoratorSessionWrapper.java:129)
	at info.magnolia.jcr.wrapper.DelegateSessionWrapper.getNodeByIdentifier(DelegateSessionWrapper.java:182)
	at info.magnolia.jcr.wrapper.NodeWrappingDelegateSessionWrapper.getNodeByIdentifier(NodeWrappingDelegateSessionWrapper.java:58)
	at info.magnolia.jcr.wrapper.DelegateSessionWrapper.getNodeByIdentifier(DelegateSessionWrapper.java:182)
	at info.magnolia.jcr.decoration.ContentDecoratorSessionWrapper.getNodeByIdentifier(ContentDecoratorSessionWrapper.java:129)
	at info.magnolia.jcr.wrapper.DelegateSessionWrapper.getNodeByIdentifier(DelegateSessionWrapper.java:182)
	at info.magnolia.jcr.decoration.ContentDecoratorSessionWrapper.getNodeByIdentifier(ContentDecoratorSessionWrapper.java:129)
	at info.magnolia.demo.travel.tours.model.CarouselModel.getTour(CarouselModel.java:99)
	at info.magnolia.demo.travel.tours.model.CarouselModel.getTours(CarouselModel.java:84)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at freemarker.ext.beans.BeansWrapper.invokeMethod(BeansWrapper.java:1385)
	at freemarker.ext.beans.BeanModel.invokeThroughDescriptor(BeanModel.java:254)
	at freemarker.ext.beans.BeanModel.get(BeanModel.java:158)
	at freemarker.core.Dot._eval(Dot.java:40)
	at freemarker.core.Expression.eval(Expression.java:76)
	at freemarker.core.Assignment.accept(Assignment.java:71)
	at freemarker.core.Environment.visit(Environment.java:257)
	at freemarker.core.MixedContent.accept(MixedContent.java:57)
	at freemarker.core.Environment.visit(Environment.java:257)
	at freemarker.core.Environment.process(Environment.java:235)
	at freemarker.template.Template.process(Template.java:262)
	at info.magnolia.freemarker.FreemarkerHelper.render(FreemarkerHelper.java:152)
	at info.magnolia.rendering.renderer.FreemarkerRenderer.onRender(FreemarkerRenderer.java:96)
	at info.magnolia.rendering.renderer.AbstractRenderer.render(AbstractRenderer.java:155)
	at info.magnolia.rendering.engine.DefaultRenderingEngine.render(DefaultRenderingEngine.java:118)
	at info.magnolia.rendering.engine.DefaultRenderingEngine.render(DefaultRenderingEngine.java:99)
	at info.magnolia.rendering.engine.DefaultRenderingEngine.render(DefaultRenderingEngine.java:94)
	at info.magnolia.rendering.engine.DefaultRenderingEngine$$EnhancerByCGLIB$$9ce0b773.render(<generated>)
	at info.magnolia.templating.elements.ComponentElement.begin(ComponentElement.java:181)
	at info.magnolia.templating.renderers.NoScriptRenderer.onRender(NoScriptRenderer.java:102)
	at info.magnolia.templating.renderers.NoScriptRenderer.render(NoScriptRenderer.java:80)
	at info.magnolia.rendering.engine.DefaultRenderingEngine.render(DefaultRenderingEngine.java:118)
	at info.magnolia.rendering.engine.DefaultRenderingEngine$$EnhancerByCGLIB$$9ce0b773.render(<generated>)
	at info.magnolia.templating.elements.AreaElement.end(AreaElement.java:324)
	at info.magnolia.templating.freemarker.AbstractDirective.execute(AbstractDirective.java:98)
	at freemarker.core.Environment.visit(Environment.java:333)
	at freemarker.core.UnifiedCall.accept(UnifiedCall.java:100)
	at freemarker.core.Environment.visit(Environment.java:257)
	at freemarker.core.MixedContent.accept(MixedContent.java:57)
	at freemarker.core.Environment.visit(Environment.java:257)
	at freemarker.core.Environment.process(Environment.java:235)
	at freemarker.template.Template.process(Template.java:262)
	at info.magnolia.freemarker.FreemarkerHelper.render(FreemarkerHelper.java:152)
	at info.magnolia.rendering.renderer.FreemarkerRenderer.onRender(FreemarkerRenderer.java:96)
	at info.magnolia.rendering.renderer.AbstractRenderer.render(AbstractRenderer.java:155)
	at info.magnolia.module.site.renderer.SiteAwareFreemarkerRenderer.render(SiteAwareFreemarkerRenderer.java:89)
	at info.magnolia.rendering.engine.DefaultRenderingEngine.render(DefaultRenderingEngine.java:118)
	at info.magnolia.rendering.engine.DefaultRenderingEngine$$EnhancerByCGLIB$$9ce0b773.render(<generated>)
	at info.magnolia.rendering.engine.RenderingFilter.render(RenderingFilter.java:195)
	at info.magnolia.rendering.engine.RenderingFilter.handleTemplateRequest(RenderingFilter.java:140)
	at info.magnolia.rendering.engine.RenderingFilter.doFilter(RenderingFilter.java:94)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.rendering.model.ModelExecutionFilter.doFilter(ModelExecutionFilter.java:100)
	at info.magnolia.cms.filters.OncePerRequestAbstractMgnlFilter.doFilter(OncePerRequestAbstractMgnlFilter.java:59)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.cms.filters.AggregatorFilter.doFilter(AggregatorFilter.java:100)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.cms.security.BaseSecurityFilter.doFilter(BaseSecurityFilter.java:57)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.cms.filters.RepositoryMappingFilter.doFilter(RepositoryMappingFilter.java:108)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.cms.filters.CompositeFilter.doFilter(CompositeFilter.java:65)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:74)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
	at info.magnolia.cms.filters.CompositeFilter.doFilter(CompositeFilter.java:65)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.cms.filters.VirtualUriFilter.doFilter(VirtualUriFilter.java:69)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.module.cache.executor.Store.processCacheRequest(Store.java:100)
	at info.magnolia.module.cache.executor.CompositeExecutor.processCacheRequest(CompositeExecutor.java:67)
	at info.magnolia.module.cache.filter.CacheFilter.doFilter(CacheFilter.java:170)
	at info.magnolia.cms.filters.OncePerRequestAbstractMgnlFilter.doFilter(OncePerRequestAbstractMgnlFilter.java:59)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.cms.i18n.I18nContentSupportFilter.doFilter(I18nContentSupportFilter.java:74)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.cms.filters.RangeSupportFilter.doFilter(RangeSupportFilter.java:84)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.cms.security.BaseSecurityFilter.doFilter(BaseSecurityFilter.java:57)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
	at info.magnolia.cms.security.SecurityCallbackFilter.doFilter(SecurityCallbackFilter.java:80)
	at info.magnolia.cms.filters.OncePerRequestAbstractMgnlFilter.doFilter(OncePerRequestAbstractMgnlFilter.java:59)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.cms.security.LogoutFilter.doFilter(LogoutFilter.java:94)
	at info.magnolia.cms.filters.OncePerRequestAbstractMgnlFilter.doFilter(OncePerRequestAbstractMgnlFilter.java:59)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.module.site.filters.SiteMergeFilter.doFilter(SiteMergeFilter.java:119)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.cms.filters.MultiChannelFilter.doFilter(MultiChannelFilter.java:83)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.module.cache.filter.GZipFilter.doFilter(GZipFilter.java:73)
	at info.magnolia.cms.filters.OncePerRequestAbstractMgnlFilter.doFilter(OncePerRequestAbstractMgnlFilter.java:59)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
	at info.magnolia.cms.security.auth.login.LoginFilter.doFilter(LoginFilter.java:127)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
	at info.magnolia.cms.filters.CosMultipartRequestFilter.doFilter(CosMultipartRequestFilter.java:87)
	at info.magnolia.cms.filters.OncePerRequestAbstractMgnlFilter.doFilter(OncePerRequestAbstractMgnlFilter.java:59)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.cms.filters.ContentTypeFilter.doFilter(ContentTypeFilter.java:112)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.cms.filters.ContextFilter.doFilter(ContextFilter.java:128)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	at info.magnolia.cms.filters.CompositeFilter.doFilter(CompositeFilter.java:65)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	at info.magnolia.cms.filters.SafeDestroyMgnlFilterWrapper.doFilter(SafeDestroyMgnlFilterWrapper.java:107)
	at info.magnolia.cms.filters.MgnlFilterDispatcher.doDispatch(MgnlFilterDispatcher.java:67)
	at info.magnolia.cms.filters.MgnlMainFilter.doFilter(MgnlMainFilter.java:108)
	at info.magnolia.cms.filters.MgnlMainFilter.doFilter(MgnlMainFilter.java:94)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)
Comment by Christopher Zimmermann [ 29/Jun/15 ]

Eric gets an exception when attempting to save a changed tour.

Caused by: javax.jcr.AccessDeniedException: /magnolia-travels/Hut-to-Hut-in-the-Swiss-Alps/destination: not allowed to add or modify item

Comment by Christopher Zimmermann [ 29/Jun/15 ]

On CE pages app, where workflow is not installed, the Publish action is available to Eric. However he should not have the right to publish
On CE, the Publish and Publish Recursive action should not available to Eric - they should only be available to travel-demo-publisher roles.

Comment by Christopher Zimmermann [ 29/Jun/15 ]

Note that currently publishing on tours or contacts app as peter fails due to this linked ticket https://jira.magnolia-cms.com/browse/MAGNOLIA-5975

Comment by Philip Mundt [ 02/Jul/15 ]

Creating a followup ticket as the roles are lenient enough to not fail when they contain a workspace that doesn't exist.

Generated at Mon Feb 12 05:15:35 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.