secure our rest/gwt apis/UI (only authenticated users may GET)
An option to allow admin to allow/disallow anonymous doing GET in our api
enabled by default - for new instances only
disallow download/read access to source/translations
lock all pages(except registration, login and info page (info for user to contact admin, report issue etc)), redirect to login page.
Using interceptor or filter to handle most cases.
"enabled by default" for new instances only
This was in our roadmap. How are you planning to implement this? As you already started working on this, can I suggest coming up with a user role model, which would make everything more flexible?
Here is our current plan for this task, taken from our task management system:
Zanata must provide us with these roles:
Admin: has access to every single route and action.
Project manager: has access to all project-related actions, such as new project, document management, translation and proofreading editor etc.
Translator: this is a translator user. Only has access to the translation editor (alpha editor) and its related routes, especially over AJAX calls.
Proofreader: same with translator, except has access to a few more actions, such as approving a translation. Translators and proofreaders cannot actually login. We will use another mechanism to automatically log them in by redirecting from motaword.com. [this last part is exclusive to MW]
Guest: anyone who is not logged in is a guest. Zanata must already have something like this. They cannot ever access any page other than login.
Roles must be dynamic, so we should be able to add/remove roles. "Editor", "QA" kind of roles are not unforeseeable at all.
I know some of this may not work for general public, but it may help to convey our point of view.
Does anything make sense from our plan?
Thanks for the feedback. Currently Zanata is allowing anonymous user to perform 'GET' request from the server. This particular ticket is to allow admin to disable it.
Your feedback seems like a more detailed control of user actions based on their role, which I think they are already in place.
http://docs.zanata.org/en/release/user-guide/admin/admin-overview/#manage-roles (it is not fully documented)
If you need any additional roles/restrictions, we can discuss it in different Jira ticket, or please feel free to submit patch to our github repo.
Thanks for the reply Alex. I actually saw in the admin panel (don't ask why I forgot), looks like it will work for us.