Uploaded image for project: 'Kuali Rice Development'
  1. Kuali Rice Development
  2. KULRICE-5339

Finish integration with presentation controller/authorizer/AttributeSecurity checking KIM

    Details

    • Type: Task
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.0
    • Fix Version/s: 2.0.0-b6, 2.0
    • Component/s: Development
    • Security Level: Public (Public: Anyone can view)
    • Labels:
      None
    • Rice Module:
      KRAD
    • KAI Review Status:
      Not Required
    • KTI Review Status:
      Not Required

      Description

      AttributeSecurity needs to check against KIM to determine whether
      whether the security should be applied for the user (mask, partial mask, hidden, readOnly). This needs to integrate with the authorizer.

      Here are some tips for finishing the authorization integration:

      See BusinessObjectAuthorizationServiceImpl#getMaintenanceDocumentRestrictions and other methods

      ----------------------

      Create ViewAuthorizationService

      Create method #invokeAuthorizerPresentationController in ViewAuthorizationService

      1) Invoke Presentation controller to get set of conditionally hidden property names, readonly property names, required property names,
      readonly group ids, and hidden group ids

      2) Invoke Authorizer to get set of security readonly group ids and hidden group ids, then iterate over each and evaluate the KIM permission. If permission
      fails add the group id to the corresponding set found in step 1

      3) Apply restrictions to view

      Assume the restricted property name is on the object path of the fields binding info, or if blank the view's default object binding path, unless
      the property name starts with UifConstants.NO_BIND_ADJUST_PREFIX

      Property name can contain a collection name and then a field, in which case the restriction should apply to all fields in the collection with that name

      Note only set the corresponding property on the AttributeField is the restiction is enabled, not otherwise (this is so any expression will remain and
      still evaluate)

      if read only restriction - field.setReadOnly(true)
      if hidden restriction - field.setRender(false)
      if mask restriction - field.setReadOnly(true) and field.setMasked(true)
      if partial mask restriction - field.setReadOnly(true) and field.setPartialMasked(true)
      if group hidden - get all attribute fields for group and set field.setRender(false)
      if group read only - get all attribute fields for group and set field.setReadOnly(true)

      1. Also, move contents from ViewHelperServiceImpl#invokeAuthorizerPresentationController to new method and move call in performApplyModel
        to after the call to performComponentApplyModel

      Create method #checkFieldAttributeSecurity in ViewAuthorizationService

      1) Check following

      • if attributeSecurity.isMask() : check field unmask authorization (use dictionaryObjectEntry as data object and dictionaryAttributeName and attribute name)
      • if attributeSecurity.isPartialMask() : check field partial unmask authorization
      • if attributeSecurity.isHide() : check field view authorization
      • if attributeSecurity.isReadonly() : check field modify authorization

      Note: Use the dictoinaryObjectEntry for the data object and the dictionaryAttributeName as the attribute name. If not set, use the object given by the view's default
      binding path and the property name of the attribute field

      Checks should go through the corresponding authorizer

      Note special handling needs to be done for collection fields (calling to get additional details)

      1. Invoke in performComponentApplyModel after runComponentModifiers call

      --------------------

      Note the presentation/authorizer classes we are working with in krad are located in uif/authorization. The KNS version are located in document.authorization, bo.authorization, and some other packages.

      Needs more analysis. In particular for other presentation/authorizer methods and button permissions.

      Document well and apply formatting

        Attachments

          Issue Links

            Activity

            jkneal Jerry Neal (Inactive) created issue -
            vpremcha Venkat PremChandran (Inactive) made changes -
            Field Original Value New Value
            Link This issue relates to KULRICE-5183 [ KULRICE-5183 ]
            jkneal Jerry Neal (Inactive) made changes -
            Summary AttributeSecurity needs to check against KIM Finish integration with presentation controller/authorizer/AttributeSecurity checking KIM
            Assignee Jerry Neal [ jkneal ] Venkat PremChandran [ vpremcha ]
            Affects Version/s 2.0 [ 14190 ]
            Description AttributeSecurity needs to check against KIM to determine whether
            whether the security should be applied for the user (mask, partial mask, hidden, readOnly). This needs to integrate with the authorizer.
            AttributeSecurity needs to check against KIM to determine whether
            whether the security should be applied for the user (mask, partial mask, hidden, readOnly). This needs to integrate with the authorizer.

            Here are some tips for finishing the authorization integration:

            See BusinessObjectAuthorizationServiceImpl#getMaintenanceDocumentRestrictions and other methods

            ----------------------

            Create ViewAuthorizationService

            Create method #invokeAuthorizerPresentationController in ViewAuthorizationService

            1) Invoke Presentation controller to get set of conditionally hidden property names, readonly property names, required property names,
            readonly group ids, and hidden group ids

            2) Invoke Authorizer to get set of security readonly group ids and hidden group ids, then iterate over each and evaluate the KIM permission. If permission
            fails add the group id to the corresponding set found in step 1

            3) Apply restrictions to view

            Assume the restricted property name is on the object path of the fields binding info, or if blank the view's default object binding path, unless
            the property name starts with UifConstants.NO_BIND_ADJUST_PREFIX

            Property name can contain a collection name and then a field, in which case the restriction should apply to all fields in the collection with that name

            Note only set the corresponding property on the AttributeField is the restiction is enabled, not otherwise (this is so any expression will remain and
            still evaluate)

            if read only restriction - field.setReadOnly(true)
            if hidden restriction - field.setRender(false)
            if mask restriction - field.setReadOnly(true) and field.setMasked(true)
            if partial mask restriction - field.setReadOnly(true) and field.setPartialMasked(true)
            if group hidden - get all attribute fields for group and set field.setRender(false)
            if group read only - get all attribute fields for group and set field.setReadOnly(true)

            # Also, move contents from ViewHelperServiceImpl#invokeAuthorizerPresentationController to new method and move call in performApplyModel
             to after the call to performComponentApplyModel

            Create method #checkFieldAttributeSecurity in ViewAuthorizationService

            1) Check following

              - if attributeSecurity.isMask() : check field unmask authorization (use dictionaryObjectEntry as data object and dictionaryAttributeName and attribute name)
              - if attributeSecurity.isPartialMask() : check field partial unmask authorization
              - if attributeSecurity.isHide() : check field view authorization
              - if attributeSecurity.isReadonly() : check field modify authorization
              
            Note: Use the dictoinaryObjectEntry for the data object and the dictionaryAttributeName as the attribute name. If not set, use the object given by the view's default
            binding path and the property name of the attribute field

            Checks should go through the corresponding authorizer

            Note special handling needs to be done for collection fields (calling to get additional details)

            # Invoke in performComponentApplyModel after runComponentModifiers call

            --------------------


            Note the presentation/authorizer classes we are working with in krad are located in uif/authorization. The KNS version are located in document.authorization, bo.authorization, and some other packages.

            Needs more analysis. In particular for other presentation/authorizer methods and button permissions.

            Document well and apply formatting
            sgibson Scott Gibson (Inactive) made changes -
            Fix Version/s 2.0.0-m7 [ 16314 ]
            Fix Version/s 2.0 [ 14190 ]
            sgibson Scott Gibson (Inactive) made changes -
            Start Date
            Fix Date 2011-08-08 [ set to sprint end date ]
            sgibson Scott Gibson (Inactive) made changes -
            Start Date
            Fix Date 2011-09-06 [ set to sprint end date ]
            jcoltrin Jessica Coltrin (Inactive) made changes -
            Fix Version/s 2.0.0-m8 [ 16326 ]
            Fix Version/s 2.0.0-m7 [ 16314 ]
            jcoltrin Jessica Coltrin (Inactive) made changes -
            Start Date
            Fix Date 2011-09-06 2011-09-05 [ set to sprint end date ]
            vpremcha Venkat PremChandran (Inactive) made changes -
            Assignee Venkat PremChandran [ vpremcha ] Jerry Neal [ jkneal ]
            sgibson Scott Gibson (Inactive) made changes -
            Fix Version/s 2.0.0-m9 [ 16327 ]
            Fix Version/s 2.0.0-m8 [ 16326 ]
            sgibson Scott Gibson (Inactive) made changes -
            Start Date
            Fix Date 2011-09-05 2011-10-10 [ set to sprint end date ]
            jkneal Jerry Neal (Inactive) made changes -
            Priority Major [ 3 ] Blocker [ 1 ]
            jcoltrin Jessica Coltrin (Inactive) made changes -
            Rice Lead sgibson
            jcoltrin Jessica Coltrin (Inactive) made changes -
            Fix Version/s 2.0.0-b1 [ 16315 ]
            Fix Version/s 2.0.0-m9 [ 16327 ]
            jcoltrin Jessica Coltrin (Inactive) made changes -
            Start Date
            Fix Date 2011-10-10 2011-11-07 [ set to sprint end date ]
            jcoltrin Jessica Coltrin (Inactive) made changes -
            Fix Version/s 2.0.0-b2 [ 16371 ]
            Fix Version/s 2.0.0-b1 [ 16315 ]
            jcoltrin Jessica Coltrin (Inactive) made changes -
            Start Date
            Fix Date 2011-11-07 2011-11-21 [ set to sprint end date ]
            ewestfal Eric Westfall made changes -
            Fix Version/s 2.0.0-b2 [ 16371 ]
            jkneal Jerry Neal (Inactive) made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            jcoltrin Jessica Coltrin (Inactive) made changes -
            Fix Version/s 2.0.0-b3 [ 16375 ]
            jcoltrin Jessica Coltrin (Inactive) made changes -
            Start Date
            Fix Date 2011-11-21 2011-12-05 [ set to sprint end date ]
            jcoltrin Jessica Coltrin (Inactive) made changes -
            Fix Version/s 2.0.0-b4 [ 16376 ]
            Fix Version/s 2.0.0-b3 [ 16375 ]
            jcoltrin Jessica Coltrin (Inactive) made changes -
            Start Date
            Fix Date 2011-12-05 2011-12-19 [ set to sprint end date ]
            sgibson Scott Gibson (Inactive) made changes -
            Fix Version/s 2.0.0-b5 [ 16377 ]
            Fix Version/s 2.0.0-b4 [ 16376 ]
            sgibson Scott Gibson (Inactive) made changes -
            Start Date
            Fix Date 2011-12-19 2012-01-09 [ set to sprint end date ]
            jkneal Jerry Neal (Inactive) made changes -
            Status In Progress [ 3 ] Open [ 1 ]
            jcoltrin Jessica Coltrin (Inactive) made changes -
            Priority Blocker [ 1 ] Critical [ 2 ]
            jkneal Jerry Neal (Inactive) made changes -
            Status Open [ 1 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            jcoltrin Jessica Coltrin (Inactive) made changes -
            Status Resolved [ 5 ] Closed [ 6 ]
            spatterson Shem Patterson (Inactive) made changes -
            Workflow custom [ 98926 ] Copy of custom for rice [ 212840 ]
            spatterson Shem Patterson (Inactive) made changes -
            Workflow Copy of custom for rice [ 212840 ] custom [ 222588 ]
            spatterson Shem Patterson (Inactive) made changes -
            Workflow custom [ 222588 ] Rice Workflow [ 232336 ]

              People

              • Assignee:
                jkneal Jerry Neal (Inactive)
                Reporter:
                jkneal Jerry Neal (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: