[Freeipa-devel] ACI permissions UI up for review

Sat Dec 11 19:49:47 UTC 2010

Dmitri,

While I don't expect you to do the review of the patch, I would 
appreciate at least a visual inspection of the completed UI.  Since 
there seems to be something wrong with the install/UI right now, I've 
posed the lates on my Fedora People page.  You should be able to see it 
from here:

http://admiyo.fedorapeople.org/ipa/static/#navigation=2&role-entity=permission&ipaserver=0&permission-facet=details&permission-pkey=modifygroupmembership

Please let me know if  you can or cannot see it.  If you can, I'd like 
to point out a couple things:

  Selecting the object type radio button displays the attribute list in 
a multi column form.  Selecting one of the others hides it.  Ben and I 
decided to move it to the bottom, so that none of the other page 
elements move.     The values are from LDAP, and may be non-intuitive 
for someone coming to IPA from outside of that realm.  The set of values 
displayed is from the sample data, which might need to be updated.  The 
live site on my machine has a smaller set.  It made the arbitrary 
decision to put 40 attributes per column, which is easy to change.

Biggest thing that was getting lost was the filter.  So, we moved that 
to the top, and added a checkbox for using/not using it.  Since the 
Filter can apply to any of the other types, v it was removed from the 
radio button set.  The radio button et needs a 'none' option, but that 
requires that the filter checkbox be set.  This will require a touch 
more work.

THe   Add button off the list page uses the same code as the details.  
The attributes table here pushes all of the buttons way down the page, 
but I want to leave it that way until I confirm the the updates work.  
Once Updates are fixed (Rob has a patch up for review already)  We can 
remove the attributes from this page.  This means that creating a 
permission that requires attribute values will happen in two stages: 
add, with permissions and the object, then details page, where the user 
will select the attributes.  I can either leave the filter on, or remove 
it from the add page as well.  I think we need the rest of the info that 
is on there in order to successfully get through the permission-add rpc.

I added another option to the radio button set: targetgroup.  This is 
showing up ion the ACIs that come up from permission-find.  I am 
currently populating the select with the values from doing a group-find 
RPC.  i've added a filter field, as we once again have the possibility 
of having more than 100 groups, and needing to find a group outside that 
set.  CUrrently, the query re-exectes on click of the radio button, but 
that is not ideal.  Ben suggested that we could resend the query with 
each keystroke, and re-populate the select box, but that might generate 
a slew of network traffic, and slow down the UI.  I won't know unless I 
implement, and I've lower hanging fruit to pick first.

According to Rob, the set of permissions can be a mix of object level 
(add and delete) and attribute (write) although this is odd.  Thus, the 
set of permissions is done via checkboxes.  This does mean that the user 
can select none, and will get an error back on submit.

With Endi on PTO, Pavel is really the only one that can review this 
code, and even he will have to take some time to learn the changes that 
Endi and I have made since he was heads down in it.