Idea #2659
Updated by Tom Clegg over 10 years ago
This has two parts:
# Implement a special "Anonymous" group and user
#* Created automatically, much like the "system group". uuid = @xyzzy-j7d0g-anonymouspublic@?
#* In permission checks, make sure @anonymous_group_uuid@ is always in the list of readable groups.
#* This should produce the desired result if someone shares an object with the Anonymous group -- at least for users who are logged in.
# Provide a mechanism for clients to get "anonymous" privileges without using the usual OAuth/SSO procedure.
#* Add apiserver script to generate a token for the special anonymous user
#* Careful in API server not to let an anonymous user modify its own User object (or anything else normally allowed by permission system). Setting token scopes to @["GET /"]@ should be enough?
#* Add Workbench configuration item for "anonymous user token". (When this is nil, just use the current behavior.)
#* Workbench has to act a bit differently when deciding to show a login page, redirect to authentication procedure, or just proceed as anonymous user. E.g., bookmark a private page, log out, go back to the private page → show "not found or not authorized" page, and provide an option to log in.
#* Workbench should avoid showing "create new folder" links when operating in anonymous mode. (Probably need to fix some assumptions that "everyone can do X", and improve the "editable?" and "creatable?" methods so they return correct answers when current_user is the anonymous user.)
Expected behavior in Workbench:
| |Root url, no anon config |Root url, anon config |Top nav email/acct menu |
|Not logged in |Redirect to /users/welcome |Projects#index[1] |"Log in" button |
|Logged in, active=false, invited=false|Redirect to /users/inactive |Projects#index[2] |Logged-in user's email, with flag indicating "not activated". Click to see /users/welcome |
|Logged in, active=false, invited=true |Redirect to /user_agreements |Projects#index[3] |Logged-in user's email, with flag indicating "not activated". Click to see /user_agreements |
|Logged in, active=true |Projects#index |Projects#index |Logged-in user's email |
fn1. Instead of "my projects", there is a notification panel saying "welcome to arvados" (same as the usual "please login" stuff on front page)
fn2. Instead of "my projects", there is a notification panel saying "your account is not yet activated" (same as the usual "inactive" page)
fn3. Instead of "my projects", there is a notification panel saying "please accept user agreements in order to activate your account" (link/button to /user_agreements)