Permissions in COD

Last updated on
28 April 2017

Permissions in COD

Primary tabs

COD uses both the permissions from drupal (admin/people/permissions) as well as conference specific permissions, derived from the Organic Groups module.

COD General Roles

Administrator

  • Full site access, basically user 1, but for users.
  • Give this permission to anyone who is helping manage the drupal sites and/or all conferences for the site.

Content Editor

  • Full access to content for all conferences, lacks the following permissions compared to administrator:
  • No Commerce
  • Sitewide configuration limited to content
  • No user admin privileges

It's important to note the content editor does have panels access and access to other sensitive permissions that should only be given to trusted users. Strongly recommend using paranoia module when giving users this permission.

Session organizer

  • Limited administrator privileges.
  • Gives sitewide access to all sessions, scheduling, etc regardless of conference permissions.
  • attendee manager
  • Limited administrator privileges.
  • Does not give access to user accounts, just ticket registrations.
  • Full commerce administration

Sponsor Organizer

  • Limited administrator privileges.
  • Full commerce administration for paid sponsors
  • Sitewide access to sponsor data and content

Event-Specific Roles

Group Owner

This is the user who created the group, and has permissions also to delete the group. Think of this user as the “sudo” user. Group owners may invite users to private groups they have created, and may grant permissions to other group members. It is the responsibility of the Group Owner to set group-specific permissions for their group members.

Administrator Member

Also known as the “Session Organizer”, this user is the session organizer of the group, assigned to this role by the Group Owner.

Member

This user is a group member, who has been invited to the private group by either the Group Owner or Administrator Member.

Non-member

This is a user who doesn’t have access to the private group. If a group is public, then non-members are your authenticated users who may be trying to interact with the group.

By default in Organic Groups, only the Administrator Member is given permission to manage group members, add group members and add content. If you wish to make changes to this, follow the steps below. To change permissions settings in your COD site, select “Manage Conference”, then “Edit Conference”, then “Permissions.”

Adding and Editing Sessions Workflow for Authenticated Users (Non-Members)

  1. Make sure you as the admin user or the person who is your admin user has given you permission to view and edit sessions.
  2. Make sure that your conference-specific permission to create and edit sessions is enabled for non-members (authenticated users). The permissions are called “Create Session content” and “Edit own Session content.”
  3. Once you have that permission, navigate your browser to the following url to create a session: [yourwebsitename]/add/session
  4. Fill out the fields in the create session form.
  5. If you wish to edit the session, click on the “Edit” tab at the top of the page.

Sitewide roles vs Event (Conference) Roles

Use site-wide roles when administrators for the organization are the same for all conferences.

Use conference roles when...

  • A conference organizer might change roles from conference to conference.
  • Current conference organizers should not be given access to information about future conferences
  • An organizer is only committed to one conference
  • For all attendee per conference settings. IE: Session submission windows, bofs, etc
  • Out of the box experience

Authenticated users have no access to create anything by default. Administrators need to setup each conference to enable the addition of registration, session/paper submissions, etc.
Permissions are set once with COD during installation. While COD may will include updates that tweak the install profile permissions, its the site administrator's responsibility to configure permissions once installed.

Organic Groups Configuration

By default we ship with 'Strict node access permissions' enabled. This allows conferences to deny access to users even if they may have a global setting that allows them to create content. The exception to this rule is content editors and administrators. Because they have 'bypass content access' enabled, they will have access to all conferences regardless of this setting.

Reporting security issues regarding permissions

Generally, it is the responsibility of the site owner to verify permissions are configured to fit their workflow or use case. If a permission is shown to be too lenient during install, COD may issue an update for the installer. This is not a security issue. However, bugs regarding access checking with the distribution do count as a security issue, and should be handled via the procedure for reporting security issues.