Goal

For certain roles where it makes sense it should be possible to authenticate at translate5 only by the fact, that the user comes from a certain IP address. Still it must be possible, that sensible data is not shown to other users.

Currently this makes sense for the roles termSearch and InstantTranslate (the user must have no other roles).

Implementation

• Access control list (ACL): In the ACL it is defined, which roles are enabled for possibly being allowed to access translate5 via IP-based authentication
• System-wide configuration
  • A variable defines, from which IPs the user is allowed to authenticate IP-based
  • A variable defines the roles, the user will have after authentication in translate5 (if roles are defined that do not allow this in ACL, they are ignored)
  • With the upcoming implementation of "TRANSLATE-471 Overwrite system config by client and task" it will be possible to overwrite these 2 configs by client (but not by task)
  • A system config defines a system variable with the cliend-number of the client, for whom the config is active and to whom created temporary users belong (see below). With TRANSLATE-471 this will become obsolete (so part of the implementation of this issue here will only be able to implement with TRANSLATE-471, which becomes more complex then, but which is regarding the effort part of this issue here).
• Creation of temporary users
  • When a user authenticates via IP address, automatically a temporary user is created, that automatically belongs to the client that is configured for the IP range. If no client is configured, the defaultcustomer is used.
  • When the session of this user is deleted, its temporary user entry in translate5 will also be deleted and with it all user associations and tasks (this is a bit complex, since usually a user can only be deleted, if he is not a PM of a task. And a user that uploads a document for download creates under the hood of translate5 an invisible project of which he is PM)