Add 2 paragraphs :D

master
Petr Stefan 8 years ago
parent adb8d03102
commit 974f4ee467

@ -454,7 +454,33 @@ and everybody seems happy about it. There are other communicating channels every
user have available like email or git, but they are totally inappropriate for
designing user interfaces on top of them.
@todo: what type of users there should be, why they are needed
The application interacts with users. From the project assignment is clear, that
the system has to keep personalized data about users and adapt presented content
according to this knowledge. User data cannot be publicly visible, so that
implies necessity of user authentication. There are several way of
auhtentication user in web applications. HTTP basic authentication has a few
drawbacks like sending plain credentials in every request or no logout option,
so it is not recommended to use. Using cookies is possible, but it is
susceptible to various types of attacks including stealing and also brings state
into stateless protocols as REST. Another option is using tokens, OAuth2 or JWT
(JSON Web Token). Nowadays it is widely used and has only a few cons (need to
make extra effort to mitigate XSS attacks). Additional option is usage of
one-time passwords. These can be time or counter based and are mostly used for
two-factor authentication. Since ReCodEx does not need to have military grade
security, JWT tokens are used for authentication. However, two-factor
authentication may come in next releases.
User data also includes a privilege level. From the assignment it is required to
have at least two roles, _student_ and _supervisor_. However, it is wise to add
_administrator_ level, which takes care of the system as a whole and is
responsible for core setup, monitoring, updates and so on. Student role has the
least power, basically can just view assignments and submit solutions.
Supervisors have more authority, so they can create exercises and assignments,
view results of students etc. From the university organization, one possible
level could be introduced, _course guarantor_. However, from real experience all
duties related with lecturing of labs are already associtated with supervisors,
so this role seems not so useful. In addition, no one requested more than three
level privilege scheme.
@todo: groups, they can be public and private and why is that, what it solves, explain and discuss threshold and other group features

Loading…
Cancel
Save