Authorizations via engines & two examples#2024
Conversation
Codecov Report
@@ Coverage Diff @@
## master #2024 +/- ##
=========================================
+ Coverage 98.58% 98.6% +0.02%
=========================================
Files 1190 1239 +49
Lines 27442 28439 +997
=========================================
+ Hits 27053 28042 +989
- Misses 389 397 +8 |
44dd944 to
4ec46ba
Compare
f9211b5 to
babf43c
Compare
d169425 to
9ba8a55
Compare
|
Hei! This should be ready now for an initial review. I finally added "postal letter verifications" as well in here. Let me know if you want it splitted away, or if it's fine. I've updated the PR's description and I'll be posting some more screenshots later today. |
9ba8a55 to
dad47ea
Compare
|
Hi @deivid-rodriguez - this looks very promising. Before reviewing the code though, there's a tricky scenario you maybe didn't have into account: managed users. Managed users can't be impersonated without re-entering the user's authorization data, which looks kind of incompatible with "deferred" (engine?) authorizations. Maybe we could include that information (deferred authorizations) in the manifest in order to exclude them from managed users? It doesn't seem trivial to manage it in a different way. Thanks! |
Yes, I did! 😄 See #1871 (comment). My solution is to only use direct authorization handlers for impersonations. |
Regarding the implementation, at the moment authorization handlers are not registered through a manifest but just like they are registered now through a global configuration. So to figure out the "authorization" type I "auto-detect" it:
It's this magic here: I wanted to keep backwards compatibility in this first MVP and it seemed nice to still be able to register handlers directly as it's done now. But looking backwards I should've probably unified everything under a manifest. |
3b570e4 to
ef30dde
Compare
|
Some heads up here, I renewed the screenshots. While recording them, I found several bugs and improvements which I've fixed and added. There's some general fixes in here that I could extract out of this PR if you wanted me to. |
|
@deivid-rodriguez screenshots look superawesome! I'll try to find some time today to review the PR! 😄 |
|
@mrcasals Do you see them as blurry as I do? The screen recording process I'm using not only quasi-freezes my laptop but also doesn't generate great gifs. But things should look better in real life 😃 |
|
Ah yes, GIFs look blurry, but that's a problem with GIFs I guess, so we can't do much about it... |
|
@deivid-rodriguez with this PR, does this mean we can extend decidim with new authorizations bundled in a gem? I'm thinking about the Spanish IDs (DNI, NIE, passport) we're using in Barcelona/Terrassa/Sant Cugat. They are mostly the same (census authorization), they mostly use the same fields, and only change how to check the values to an API. Would we be able to extract this in a gem? |
|
Awsome work! Heads up @mrcasals - authorizations can be already bundled in
a gem :)
…On Oct 20, 2017 11:58, "Marc Riera" ***@***.***> wrote:
@deivid-rodriguez <https://github.com/deivid-rodriguez> with this PR,
does this mean we can extend decidim with new authorizations bundled in a
gem? I'm thinking about the Spanish IDs (DNI, NIE, passport) we're using in
Barcelona/Terrassa/Sant Cugat. They are mostly the same (census
authorization), they mostly use the same fields, and only change how to
check the values to an API.
Would we be able to extract this in a gem?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#2024 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAG0ggcRYZDuA_5VyDvX0wIPUE_MG7lfks5suG7EgaJpZM4P1M0d>
.
|
decidim-verifications/README.md
Outdated
| authorization method they require. For example, a decidim instance might | ||
| choose to require census authorization to create proposals, but a fully | ||
| verified address via a verification code for voting on proposals. which | ||
| authorization. methods to use to let users get verified, and |
There was a problem hiding this comment.
This last sentence looks weird.
There was a problem hiding this comment.
Oooops, I'll fix this.
| verification_number: 'Verification #%{n}' | ||
| rejections: | ||
| create: | ||
| success: Verification rejected. User will be prompted to ammend her documents |
|
@deivid-rodriguez über-nice work! I think I'll need to work on adding a new authorization method in order to fully understand how to do that, because it looks a bit complicated, but that's OK. Should we move the authorizations we have in core to this new engine? They might be simple enough, but this way we keep similar things together. Apart from that, really nice work, thanks! ❤️ |
Yes, it is a bit complicated... In a future iteration I think we could unify everything under a manifest like @josepjaume intended / suggested. This will be simpler implementation-wise and towards users since we'll have a single way of registering (and documenting) authorization methods. Something like: Decidim::Verifications.register_verification_method(:id_documents) do |verification|
verification.engine = Decidim::Verifications::IdDocuments::Engine
verification.admin_engine = Decidim::Verifications::IdDocuments::AdminEngine
endor, for current handlers, Decidim::Verifications.register_verification_method(:barcelona_census) do |verification|
verification.form = Decidim::Barcelona::CensusHandler
endHowever, I think we can release this way for now, since it allows us to start experimenting with this new authorization methods without breaking compatibility with the old ones (and thus not having to deal yet with data migrations, and so on). |
Absolutely! I scheduled myself to do this, but I forgot! Assuming you mean under the new "gem" (note that there's one "engine" per authorization method, or even two if the authorization method needs admin intervention). |
Make the whole thing clickable.
Since cases where the letter has already been sent are displayed too.
Activate it when editing permissions or configuring the feature.
Add a new `Decidim::Verifications::Engine` that mounts all available authorization workflows.
55344c0 to
d54d515
Compare
josepjaume
left a comment
There was a problem hiding this comment.
You did an amazing work here, @deivid-rodriguez. Top quality! Sorry it took so long to review, but we've had lots of stuff in our plate. Merging this in!!
🎩 What? Why?
This PR implements multi-step and multi-side authorizations via engines as suggested in #1871. It keeps support as is for simpler authorizations via rectify forms but introduces the possibility to implement more complex scenarios by declaring a manifest with a engine and (optionally) an admin engine. I've called these new authorization methods "workflow authorizations" as opposed to "handler authorizations".
The manifest is currently very simple and just allows to register the verification workflow and its engines:
decidim/decidim-verifications/lib/decidim/verifications/id_documents/workflow.rb
Lines 1 to 6 in 44dd944
I'm not sure whether these new authorization engines should live in a separate gem, in a separate repo, namespaced inside
decidim-{core,admin}? For now I've gone with the first option but I'm open to suggestions.As the first examples, I've added authorizations via identity document upload as explained in #1815, and authorizations via code by postal mail as explained in #2030.
📌 Related Issues
📋 Subtasks
Common
Identity documents
Letters
Ideas for future iterations (will migrate to separate tickets if accepted as improvements)
📷 Screenshots (optional)
Enabling authorization methods for an organization
Enabling authorization methods for specific actions
Verification with identity documents
Verification with postal letter
👻 GIF