|
1 | 1 | # UBC CWL AUTH |
2 | 2 |
|
| 3 | +### About |
| 4 | + |
| 5 | +This module's purpose is to bring together the functionality required to handle our use cases for permissions based authentication, which __can__ be used in conjunction with CWL authentication. The contrib module to handle a CWL integration in this case is __samlauth__ (https://www.drupal.org/project/samlauth). |
| 6 | + |
| 7 | +This module and it's dependencies should work the same in Drupal 10 and Drupal 11. |
| 8 | + |
| 9 | +Upon installation, the install file will conditionally create the 'CWL' role. Additionally it will create a Taxonomy Vocabulary called 'Visibility', and create 2 terms, 'General' and 'CWL'. Those two taxonomy terms will also have role permissions attached to them, via the **permissions_by_term** module. |
| 10 | + |
| 11 | +The functionality provided by this module is to subscribe to 403 events, and redirect any 403s where the user does not have the CWL role to /saml/login. This redirect path will then kickoff a CWL login handshake via the **samlauth** module, if installed. Or if samlauth is not installed, a custom page or custom functionality can be put at that route. |
| 12 | + |
3 | 13 | ### Files |
4 | 14 | **Event Subscriber** - Subscribes to Exceptions, but only implements logic on 403. Checks for 'CWL' role and redirects accordingly. |
5 | 15 |
|
|
20 | 30 | **permissions_by_term** - Allows you to use a taxonomy vocabulary to set User role permissions. This creates a preferable Edit form experience over the private content module. |
21 | 31 |
|
22 | 32 | **jsonapi_extras** - Not actually a dependency, but required to see JSON endpoints, for testing access control of content exposed through endpoints. |
| 33 | + |
| 34 | + |
| 35 | +### Configuration of Uses Cases |
| 36 | + |
| 37 | + |
| 38 | +#### Single Node CWL Protection |
| 39 | +Add a taxonomy reference field to any content type, referencing the Visibility taxonomy. Make the field mandatory and create a default value of 'General'. |
| 40 | + |
| 41 | +Any node with 'General' visibility is accessible to Anonymous and Authenticated users. Any node with 'CWL' visibility is accessible to 'CWL', 'Content Editor', and 'Administrators'. Those specific role permissions can be customized after installation under the 'Permissions' section of the taxonomy term edit page. |
| 42 | + |
| 43 | +#### Content Type CWL Protection |
| 44 | +For any content type, configure Access and CRUD permissions by going to the content type's 'Manage Permissions' operation (which is part of the **entity_bundle_permissions** module). |
| 45 | + |
| 46 | +#### Media CWL Protection |
| 47 | +For any Media type, configure Access and CRUD permissions by going to the content type's 'Manage Permissions' operation (which is part of the **entity_bundle_permissions** module). |
| 48 | + |
| 49 | +Note: if the **UBC Media Entity Configuration** module is installed, that module's permissions can potentially conflict with the permissions of the **entity_bundle_permissions** module. You can resolved this by providing full access within the **UBC Media Entity Configuration** permissions, and then restricting permissions with the **entity_bundle_permissions** module. |
| 50 | + |
| 51 | +#### Views CWL Protection |
| 52 | +For Views, restrict access permissions by the 'CWL' role. |
| 53 | + |
| 54 | +#### Feeds CWL Protection |
| 55 | + |
| 56 | +If Entities have permissions based access control configured, then JSON feeds accessed without authentication should adhere to the access control you've setup. |
| 57 | + |
0 commit comments