|
|
@ -454,7 +454,33 @@ and everybody seems happy about it. There are other communicating channels every
|
|
|
|
user have available like email or git, but they are totally inappropriate for
|
|
|
|
user have available like email or git, but they are totally inappropriate for
|
|
|
|
designing user interfaces on top of them.
|
|
|
|
designing user interfaces on top of them.
|
|
|
|
|
|
|
|
|
|
|
|
@todo: what type of users there should be, why they are needed
|
|
|
|
The application interacts with users. From the project assignment is clear, that
|
|
|
|
|
|
|
|
the system has to keep personalized data about users and adapt presented content
|
|
|
|
|
|
|
|
according to this knowledge. User data cannot be publicly visible, so that
|
|
|
|
|
|
|
|
implies necessity of user authentication. There are several way of
|
|
|
|
|
|
|
|
auhtentication user in web applications. HTTP basic authentication has a few
|
|
|
|
|
|
|
|
drawbacks like sending plain credentials in every request or no logout option,
|
|
|
|
|
|
|
|
so it is not recommended to use. Using cookies is possible, but it is
|
|
|
|
|
|
|
|
susceptible to various types of attacks including stealing and also brings state
|
|
|
|
|
|
|
|
into stateless protocols as REST. Another option is using tokens, OAuth2 or JWT
|
|
|
|
|
|
|
|
(JSON Web Token). Nowadays it is widely used and has only a few cons (need to
|
|
|
|
|
|
|
|
make extra effort to mitigate XSS attacks). Additional option is usage of
|
|
|
|
|
|
|
|
one-time passwords. These can be time or counter based and are mostly used for
|
|
|
|
|
|
|
|
two-factor authentication. Since ReCodEx does not need to have military grade
|
|
|
|
|
|
|
|
security, JWT tokens are used for authentication. However, two-factor
|
|
|
|
|
|
|
|
authentication may come in next releases.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
User data also includes a privilege level. From the assignment it is required to
|
|
|
|
|
|
|
|
have at least two roles, _student_ and _supervisor_. However, it is wise to add
|
|
|
|
|
|
|
|
_administrator_ level, which takes care of the system as a whole and is
|
|
|
|
|
|
|
|
responsible for core setup, monitoring, updates and so on. Student role has the
|
|
|
|
|
|
|
|
least power, basically can just view assignments and submit solutions.
|
|
|
|
|
|
|
|
Supervisors have more authority, so they can create exercises and assignments,
|
|
|
|
|
|
|
|
view results of students etc. From the university organization, one possible
|
|
|
|
|
|
|
|
level could be introduced, _course guarantor_. However, from real experience all
|
|
|
|
|
|
|
|
duties related with lecturing of labs are already associtated with supervisors,
|
|
|
|
|
|
|
|
so this role seems not so useful. In addition, no one requested more than three
|
|
|
|
|
|
|
|
level privilege scheme.
|
|
|
|
|
|
|
|
|
|
|
|
@todo: groups, they can be public and private and why is that, what it solves, explain and discuss threshold and other group features
|
|
|
|
@todo: groups, they can be public and private and why is that, what it solves, explain and discuss threshold and other group features
|
|
|
|
|
|
|
|
|
|
|
|