Commit 240d910c authored by Ariel Rin's avatar Ariel Rin
Browse files

Document Permissions and other Docs Improvments

parent f4c4ae36
......@@ -33,3 +33,20 @@ When you create an autogroup config you will be given the following options:
- Corp/Alliance name source sets the source of the Corp/Alliance name used in creating the group name. Currently the options are Full name and Ticker.
- Replace spaces allows you to replace spaces in the autogroup name with the value in the Replace spaces with field. This can be blank.
## Permissions
Auto Groups are configured via models in the Admin Interface, a user will require the `Staff` Flag in addition to the following permissions.
```eval_rst
+-------------------------------------------+------------------+----------------+
| Permission | Admin Site | Auth Site |
+===========================================+==================+================+
| eve_autogroups.add_autogroupsconfig | Can create model | None. |
+-------------------------------------------+------------------+----------------+
| eve_autogroups.change_autogroupsconfig | Can edit model | None. |
+-------------------------------------------+------------------+----------------+
| eve_autogroups.delete_autogroupsconfig | Can delete model | None. |
+-------------------------------------------+------------------+----------------+
```
There exists more models that will be automatically created and maintained by this module, they do not require end-user/admin interaction. `managedalliancegroup` `managedcorpgroups`
......@@ -102,11 +102,6 @@ To use this feature, users will require some of the following:
+---------------------------------------+------------------+----------------------------------------------------+
| corpstats.add_corpstats | Can create model | Can add new corpstats using an SSO token. |
+---------------------------------------+------------------+----------------------------------------------------+
| corpstats.change_corpstats | Can edit model | None. |
+---------------------------------------+------------------+----------------------------------------------------+
| corpstats.remove_corpstats | Can delete model | None. |
+---------------------------------------+------------------+----------------------------------------------------+
```
Users who add a Corp Stats with their token will be granted permissions to view it regardless of the above permissions. View permissions are interpreted in the "OR" sense: a user can view their corporation's Corp Stats without the `view_corp_corpstats` permission if they have the `view_alliance_corpstats` permission, same idea for their state. Note that these evaluate against the user's main character.
......
......@@ -9,3 +9,20 @@ The Fleet Activity Tracking (FAT) app allows you to track fleet participation.
Fleet Activity Tracking requires access to the `esi-location.read_location.v1`, `esi-location.read_ship_type.v1`, and `esi-universe.read_structures.v1` SSO scopes. Update your application on the [EVE Developers site](https://developers.eveonline.com) to ensure these are available.
Add `'allianceauth.fleetactivitytracking',` to your `INSTALLED_APPS` list in your auth project's settings file. Run migrations to complete installation.
## Permissions
To administer this feature, users will require some of the following.
Users do not require any permissions to interact with FAT Links created.
```eval_rst
+---------------------------------------+------------------+--------------------------------------------------------------------------+
| Permission | Admin Site | Auth Site |
+=======================================+==================+==========================================================================+
| auth.fleetactivitytracking | None | Create and Modify FATLinks |
+---------------------------------------+------------------+--------------------------------------------------------------------------+
| auth.fleetactivitytracking_statistics | None | Can view detailed statistics for corp models and other characters. |
+---------------------------------------+------------------+--------------------------------------------------------------------------+
```
......@@ -40,7 +40,9 @@ Any reviewer who can see the application can view the applicant's APIs if they p
## Permissions
The following permissions have an effect on the website above and beyond their usual admin site functions.
To administer this feature, users will require some of the following.
Users do not require any permission to apply to a corporation and fill out the form.
```eval_rst
+---------------------------------------+------------------+----------------------------------------------------+
......@@ -54,13 +56,12 @@ The following permissions have an effect on the website above and beyond their u
+---------------------------------------+------------------+----------------------------------------------------+
| hrapplications.reject_applications | None | Can reject applications |
+---------------------------------------+------------------+----------------------------------------------------+
| hrapplications.view_apis | None | Can view applicant API keys, and audit in Jacknife |
+---------------------------------------+------------------+----------------------------------------------------+
| hrapplications.add_applicationcomment | Can create model | Can comment on applications |
+---------------------------------------+------------------+----------------------------------------------------+
```
A user with `auth.human_resources` can only see applications to their own corp.
Best practice is to bundle the `auth.human_resources` permission alongside the `hrapplications.approve_application` and `hrapplications.reject_application` permissions, as in isolation these don't make much sense.
## Models
......
......@@ -7,3 +7,17 @@ Fleet Operations is an app for organizing and communicating fleet schedules.
## Installation
Add `'allianceauth.optimer',` to your `INSTALLED_APPS` list in your auth project's settings file. Run migrations to complete installation.
## Permissions
To use and administer this feature, users will require some of the following.
```eval_rst
+---------------------------------------+------------------+--------------------------------------------------------------------------+
| Permission | Admin Site | Auth Site |
+=======================================+==================+==========================================================================+
| auth.optimer_view | None | Can view Fleet Operation Timers |
+---------------------------------------+------------------+--------------------------------------------------------------------------+
| auth.optimer_manage | None | Can Manage Fleet Operation timers |
+---------------------------------------+------------------+--------------------------------------------------------------------------+
```
......@@ -37,3 +37,15 @@ The permissions audit page will give you an overview of all the users who have a
![permissions audit](/_static/images/features/apps/permissions_tool/audit.png)
Please note that users may appear multiple times if this permission is granted via multiple sources.
## Permissions
To use this feature, users will require some of the following.
```eval_rst
+---------------------------------------+------------------+--------------------------------------------------------------------------+
| Permission | Admin Site | Auth Site |
+=======================================+==================+==========================================================================+
| permissions_tool.audit_permissions | None | Can view the Permissions Audit tool |
+---------------------------------------+------------------+--------------------------------------------------------------------------+
```
......@@ -7,3 +7,19 @@ Ship Replacement helps you to organize ship replacement programs (SRP) for your
## Installation
Add `'allianceauth.srp',` to your `INSTALLED_APPS` list in your auth project's settings file. Run migrations to complete installation.
## Permissions
To use and administer this feature, users will require some of the following.
```eval_rst
+----------------------+------------------+------------------------------------------------------------+
| Permission | Admin Site | Auth Site |
+======================+==================+============================================================+
| auth.access_srp | None | Can create an SRP request from a fleet |
+----------------------+------------------+------------------------------------------------------------+
| auth.srp_management | None | Can Approve and Deny SRP requests, Can create an SRP Fleet |
+----------------------+------------------+------------------------------------------------------------+
| srp.add_srpfleetmain | Can Add Model | Can Create an SRP Fleet |
+----------------------+------------------+------------------------------------------------------------+
```
......@@ -7,3 +7,17 @@ Structure Timers helps you keep track of both offensive and defensive structure
## Installation
Add `'allianceauth.timerboard',` to your `INSTALLED_APPS` list in your auth project's settings file. Run migrations to complete installation.
## Permissions
To use and administer this feature, users will require some of the following.
```eval_rst
+---------------------------------------+------------------+--------------------------------------------------------------------------+
| Permission | Admin Site | Auth Site |
+=======================================+==================+==========================================================================+
| auth.timer_view | None | Can view Timerboard Timers |
+---------------------------------------+------------------+--------------------------------------------------------------------------+
| auth.timer_manage | None | Can Manage Timerboard timers |
+---------------------------------------+------------------+--------------------------------------------------------------------------+
```
......@@ -38,4 +38,26 @@ Group leaders have the same abilities as users with the `group_management` permi
- Approve requests for groups they are a leader of.
- View the Group Membership and Group Members of groups they are leaders of.
This allows you to more finely control who has access to manage which groups. Currently it is not possible to add a Group as group leaders.
This allows you to more finely control who has access to manage which groups.
## Permissions
Group Management should be mostly done using group leaders, a series of permissions are included below for thoroughness.
```eval_rst
+--------------------------------+-------------------+------------------------------------------------------------------------------------+
| Permission | Admin Site | Auth Site |
+================================+===================+====================================================================================+
| auth.group_management | None | Can Approve and Deny all Group Requests, Can view and manage all group memberships |
+--------------------------------+-------------------+------------------------------------------------------------------------------------+
| groupmanagement.request_groups | None | Can Request Non-Public Groups |
+--------------------------------+-------------------+------------------------------------------------------------------------------------+
| groupmanagement.add_group | Can Add Models | None |
+--------------------------------+-------------------+------------------------------------------------------------------------------------+
| groupmanagement.change_group | Can Edit Models | None |
+--------------------------------+-------------------+------------------------------------------------------------------------------------+
| groupmanagement.delete_group | Can Delete Models | None |
+--------------------------------+-------------------+------------------------------------------------------------------------------------+
| groupmanagement.view_group | Can View Models | None |
+--------------------------------+-------------------+------------------------------------------------------------------------------------+
```
......@@ -26,7 +26,7 @@ This option still respects the Open option.
### Open
When a group is toggled open, users who request to join the group will be immediately added to the group.
When a group is toggled open, users who request to join the group will be immediately added to the group.
If the group is not open, their request will have to be approved manually by someone with the group management role, or a group leader of that group.
......
......@@ -139,6 +139,18 @@ Name Description
=================================== ============================================================================================= =======
```
## Permissions
To use this service, users will require some of the following.
```eval_rst
+---------------------------------------+------------------+--------------------------------------------------------------------------+
| Permission | Admin Site | Auth Site |
+=======================================+==================+==========================================================================+
| discord.access_discord | None | Can Access the Discord Service |
+---------------------------------------+------------------+--------------------------------------------------------------------------+
```
## Troubleshooting
### "Unknown Error" on Discord site when activating service
......
......@@ -17,20 +17,26 @@ DISCOURSE_SSO_SECRET = ''
## Install Docker
wget -qO- https://get.docker.io/ | sh
```bash
wget -qO- https://get.docker.io/ | sh
```
## Install Discourse
### Download Discourse
mkdir /var/discourse
git clone https://github.com/discourse/discourse_docker.git /var/discourse
```bash
mkdir /var/discourse
git clone https://github.com/discourse/discourse_docker.git /var/discourse
```
### Configure
cd /var/discourse
cp samples/standalone.yml containers/app.yml
nano containers/app.yml
```bash
cd /var/discourse
cp samples/standalone.yml containers/app.yml
nano containers/app.yml
```
Change the following:
......@@ -40,38 +46,50 @@ Change the following:
To install behind Apache/Nginx, look for this section:
...
## which TCP/IP ports should this container expose?
expose:
- "80:80" # fwd host port 80 to container port 80 (http)
...
```ini
...
## which TCP/IP ports should this container expose?
expose:
- "80:80" # fwd host port 80 to container port 80 (http)
...
```
Change it to this:
...
## which TCP/IP ports should this container expose?
expose:
- "7890:80" # fwd host port 7890 to container port 80 (http)
...
```ini
...
## which TCP/IP ports should this container expose?
expose:
- "7890:80" # fwd host port 7890 to container port 80 (http)
...
```
Or any other port will do, if taken. Remember this number.
### Build and launch
nano /etc/default/docker
```bash
nano /etc/default/docker
```
Uncomment this line:
```ini
DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4"
```
Restart Docker:
```bash
service docker restart
```
Now build:
```bash
./launcher bootstrap app
./launcher start app
```
## Web Server Configuration
......@@ -79,22 +97,26 @@ You will need to configure your web server to proxy requests to Discourse.
A minimal Apache config might look like:
<VirtualHost *:80>
ServerName discourse.example.com
ProxyPass / http://0.0.0.0:7890/
ProxyPassReverse / http://0.0.0.0:7890/
</VirtualHost>
```ini
<VirtualHost *:80>
ServerName discourse.example.com
ProxyPass / http://0.0.0.0:7890/
ProxyPassReverse / http://0.0.0.0:7890/
</VirtualHost>
```
A minimal Nginx config might look like:
server {
listen 80;
server_name discourse.example.com;
location / {
include proxy_params;
proxy_pass http://127.0.0.1:7890;
}
```ini
server {
listen 80;
server_name discourse.example.com;
location / {
include proxy_params;
proxy_pass http://127.0.0.1:7890;
}
}
```
## Configure API
......@@ -102,8 +124,10 @@ A minimal Nginx config might look like:
From the `/var/discourse` directory,
./launcher enter app
rake admin:create
```bash
./launcher enter app
rake admin:create
```
Follow prompts, being sure to answer `y` when asked to allow admin privileges.
......@@ -128,3 +152,15 @@ Navigate to `discourse.example.com` and log in. Back to the admin site, scroll d
Save, now set `DISCOURSE_SSO_SECRET` in your auth project's settings file to the secure key you just put in Discourse.
Finally run migrations and restart Gunicorn and Celery.
## Permissions
To use this service, users will require some of the following.
```eval_rst
+---------------------------------------+------------------+--------------------------------------------------------------------------+
| Permission | Admin Site | Auth Site |
+=======================================+==================+==========================================================================+
| discourse.access_discourse | None | Can Access the Discourse Service |
+---------------------------------------+------------------+--------------------------------------------------------------------------+
```
......@@ -200,13 +200,16 @@ python /home/allianceserver/myauth/manage.py migrate
supervisorctl restart myauth:
```
## Permissions on Auth
## Permissions
To enable the mumble service for users on Auth you need to give them the `access_mumble` permission. This permission is often added to the `Member` state.
To use this service, users will require some of the following.
```eval_rst
.. note::
Note that groups will only be created on Mumble automatically when a user joins who is in the group.
+---------------------------------------+------------------+--------------------------------------------------------------------------+
| Permission | Admin Site | Auth Site |
+=======================================+==================+==========================================================================+
| mumble.access_mumble | None | Can Access the Mumble Service |
+---------------------------------------+------------------+--------------------------------------------------------------------------+
```
## ACL configuration
......@@ -296,4 +299,4 @@ Edit `authenticator.ini` and change (or add for older installs) This code block.
avatar_enable = True
;Get EvE avatar images from this location. {charid} will be filled in.
ccp_avatar_url = https://images.evetech.net/characters/{charid}/portrait?size=32
```
\ No newline at end of file
```
......@@ -20,18 +20,25 @@ BROADCAST_SERVICE_NAME = "broadcast"
```
## Dependencies
Openfire require a Java 8 runtime environment.
Ubuntu:
apt-get install openjdk-8-jdk
```bash
apt-get install openjdk-8-jdk
```
CentOS:
yum -y install java-1.8.0-openjdk java-1.8.0-openjdk-devel
```bash
yum -y install java-1.8.0-openjdk java-1.8.0-openjdk-devel
```
## Setup
### Download Installer
Openfire is not available through repositories so we need to get a package from the developer.
On your PC, navigate to the [Ignite Realtime downloads section](https://www.igniterealtime.org/downloads/index.jsp), and under Openfire select Linux, click on the Ubuntu: Debian package (second from bottom of list, ends with .deb) or CentOS: RPM Package (no JRE bundled, as we have installed it on the host)
......@@ -42,27 +49,31 @@ In the console, ensure you’re in your user’s home directory: `cd ~`
Now download the package. Replace the link below with the link you got earlier.
wget https://www.igniterealtime.org/downloadServlet?filename=openfire/openfire_4.2.3_all.deb
`wget https://www.igniterealtime.org/downloadServlet?filename=openfire/openfire_4.2.3_all.deb`
Now install from the package. Replace the filename with your filename (the last part of the download URL is the file name)
Ubuntu:
dpkg -i openfire_4.2.3_all.deb
`dpkg -i openfire_4.2.3_all.deb`
CentOS:
yum install -y openfire-4.2.3-1.noarch.rpm
`yum install -y openfire-4.2.3-1.noarch.rpm`
### Create Database
Performance is best when working from a SQL database. If you installed MySQL or MariaDB alongside your auth project, go ahead and create a database for Openfire:
mysql -u root -p
create database alliance_jabber;
grant all privileges on alliance_jabber . * to 'allianceserver'@'localhost';
exit;
```bash
mysql -u root -p
create database alliance_jabber;
grant all privileges on alliance_jabber . * to 'allianceserver'@'localhost';
exit;
```
### Web Configuration
The remainder of the setup occurs through Openfire’s web interface. Navigate to http://example.com:9090, or if you’re behind CloudFlare, go straight to your server’s IP:9090.
Select your language. I sure hope it’s English if you’re reading this guide.
......@@ -72,9 +83,10 @@ Under Server Settings, set the Domain to `example.com` replacing it with your ac
Under Database Settings, select `Standard Database Connection`
On the next page, select `MySQL` from the dropdown list and change the following:
- `[server]` is replaced by `127.0.0.1`
- `[database]` is replaced by the name of the database to be used by Openfire
- enter the login details for your auth project's database user
- `[server]` is replaced by `127.0.0.1`
- `[database]` is replaced by the name of the database to be used by Openfire
- enter the login details for your auth project's database user
If Openfire returns with a failed to connect error, re-check these settings. Note the lack of square brackets.
......@@ -85,12 +97,14 @@ Create an administrator account. The actual name is irrelevant, just don’t los
Finally, log in to the console with your admin account.
Edit your auth project's settings file and enter the values you just set:
- `JABBER_URL` is the pubic address of your jabber server
- `JABBER_PORT` is the port for clients to connect to (usually 5223)
- `JABBER_SERVER` is the name of the jabber server. If you didn't alter it during install it'll usually be your domain (eg `example.com`)
- `OPENFIRE_ADDRESS` is the web address of Openfire's web interface. Use http:// with port 9090 or https:// with port 9091 if you configure SSL in Openfire
- `JABBER_URL` is the pubic address of your jabber server
- `JABBER_PORT` is the port for clients to connect to (usually 5223)
- `JABBER_SERVER` is the name of the jabber server. If you didn't alter it during install it'll usually be your domain (eg `example.com`)
- `OPENFIRE_ADDRESS` is the web address of Openfire's web interface. Use http:// with port 9090 or https:// with port 9091 if you configure SSL in Openfire
### REST API Setup
Navigate to the `plugins` tab, and then `Available Plugins` on the left navigation bar. You’ll need to fetch the list of available plugins by clicking the link.
Once loaded, press the green plus on the right for `REST API`.
......@@ -109,12 +123,12 @@ Broadcasting requires a plugin. Navigate to the `plugins` tab, press the green p
Navigate to the `Server` tab, `Server Manager` subtab, and select `System Properties`. Enter the following:
- Name: `plugin.broadcast.disableGroupPermissions`
- Value: `True`
- Do not encrypt this property value
- Name: `plugin.broadcast.allowedUsers`
- Value: `broadcast@example.com`, replacing the domain name with yours
- Do not encrypt this property value
- Name: `plugin.broadcast.disableGroupPermissions`
- Value: `True`
- Do not encrypt this property value
- Name: `plugin.broadcast.allowedUsers`
- Value: `broadcast@example.com`, replacing the domain name with yours
- Do not encrypt this property value
If you have troubles getting broadcasts to work, you can try setting the optional (you will need to add it) `BROADCAST_IGNORE_INVALID_CERT` setting to `True`. This will allow invalid certificates to be used when connecting to the Openfire server to send a broadcast.
......@@ -123,15 +137,29 @@ If you have troubles getting broadcasts to work, you can try setting the optiona
Once all settings are entered, run migrations and restart Gunicorn and Celery.
### Group Chat
Channels are available which function like a chat room. Access can be controlled either by password or ACL (not unlike mumble).
Navigate to the `Group Chat` tab and select `Create New Room` from the left navigation bar.
- Room ID is a short, easy-to-type version of the room’s name users will connect to
- Room Name is the full name for the room
- Description is short text describing the room’s purpose
- Set a password if you want password authentication
- Every other setting is optional. Save changes.
- Room ID is a short, easy-to-type version of the room’s name users will connect to
- Room Name is the full name for the room
- Description is short text describing the room’s purpose
- Set a password if you want password authentication
- Every other setting is optional. Save changes.
Now select your new room. On the left navigation bar, select `Permissions`.
ACL is achieved by assigning groups to each of the three tiers: `Owners`, `Admins` and `Members`. `Outcast` is the blacklist. You’ll usually only be assigning groups to the `Member` category.
## Permissions
To use this service, users will require some of the following.
```eval_rst
+---------------------------------------+------------------+--------------------------------------------------------------------------+
| Permission | Admin Site | Auth Site |
+=======================================+==================+==========================================================================+
| openfire.access_openfire | None | Can Access the Openfire Service |
+---------------------------------------+------------------+--------------------------------------------------------------------------+
```
# phpBB3
## Overview
phpBB is a free PHP-based forum.
## Dependencies
phpBB3 requires PHP installed in your web server. Apache has `mod_php`, NGINX requires `php-fpm`. See [the official guide](https://www.phpbb.com/community/docs/INSTALL.html) for PHP package requirements.
## Prepare Your Settings
In your auth project's settings file, do the following:
- Add `'allianceauth.services.modules.phpbb3',` to your `INSTALLED_APPS` list
- Append the following to the bottom of the settings file:
- Add `'allianceauth.services.modules.phpbb3',` to your `INSTALLED_APPS` list
- Append the following to the bottom of the settings file:
```python
# PHPBB3 Configuration
......@@ -25,32 +29,43 @@ DATABASES['phpbb3'] = {
```
## Setup
### Prepare the Database
Create a database to install phpBB3 in.
mysql -u root -p
create database alliance_forum;
grant all privileges on alliance_forum . * to 'allianceserver'@'localhost';
exit;
```bash
mysql -u root -p
create database alliance_forum;
grant all privileges on alliance_forum . * to 'allianceserver'@'localhost';
exit;
```
Edit your auth project's settings file and fill out the `DATABASES['phpbb3']` part.
### Download phpBB3
phpBB3 is available as a zip from their website. Navigate to the website’s [downloads section](https://www.phpbb.com/downloads/) using your PC browser and copy the URL for the latest version zip.
In the console, navigate to your user’s home directory: `cd ~`
Now download using wget, replacing the URL with the URL for the package you just retrieved
wget https://www.phpbb.com/files/release/phpBB-3.2.2.zip
```bash
wget https://www.phpbb.com/files/release/phpBB-3.2.2.zip
```
This needs to be unpackaged. Unzip it, replacing the file name with that of the file you just downloaded
unzip phpBB-3.2.2.zip
```bash
unzip phpBB-3.2.2.zip
```
Now we need to move this to our web directory. Usually `/var/www/forums`.
mv phpBB3 /var/www/forums
```bash
mv phpBB3 /var/www/forums
```