diff --git a/Rewritten-docs.md b/Rewritten-docs.md index efab2a9..6aa60b7 100644 --- a/Rewritten-docs.md +++ b/Rewritten-docs.md @@ -454,7 +454,33 @@ and everybody seems happy about it. There are other communicating channels every user have available like email or git, but they are totally inappropriate for designing user interfaces on top of them. -@todo: what type of users there should be, why they are needed +The application interacts with users. From the project assignment is clear, that +the system has to keep personalized data about users and adapt presented content +according to this knowledge. User data cannot be publicly visible, so that +implies necessity of user authentication. There are several way of +auhtentication user in web applications. HTTP basic authentication has a few +drawbacks like sending plain credentials in every request or no logout option, +so it is not recommended to use. Using cookies is possible, but it is +susceptible to various types of attacks including stealing and also brings state +into stateless protocols as REST. Another option is using tokens, OAuth2 or JWT +(JSON Web Token). Nowadays it is widely used and has only a few cons (need to +make extra effort to mitigate XSS attacks). Additional option is usage of +one-time passwords. These can be time or counter based and are mostly used for +two-factor authentication. Since ReCodEx does not need to have military grade +security, JWT tokens are used for authentication. However, two-factor +authentication may come in next releases. + +User data also includes a privilege level. From the assignment it is required to +have at least two roles, _student_ and _supervisor_. However, it is wise to add +_administrator_ level, which takes care of the system as a whole and is +responsible for core setup, monitoring, updates and so on. Student role has the +least power, basically can just view assignments and submit solutions. +Supervisors have more authority, so they can create exercises and assignments, +view results of students etc. From the university organization, one possible +level could be introduced, _course guarantor_. However, from real experience all +duties related with lecturing of labs are already associtated with supervisors, +so this role seems not so useful. In addition, no one requested more than three +level privilege scheme. @todo: groups, they can be public and private and why is that, what it solves, explain and discuss threshold and other group features