[geeklog-devel] ACL follow-up
Tony Bibbs
tony at tonybibbs.com
Mon Jun 23 16:46:00 EDT 2003
Right, when you log in, all the groups and permissions you have would go
back to the calling application and stored in a user object that is
persisted in the session. That said, the SEC_inGroup, SEC_hasAccess
type functions are actually part of the A&A client only. The server is
only concerned with returning the values for a given user on a given
application.
I think we are on the same page here. I will start making the changes.
Dwight, you may want to update the datamodels accordingly (or do you
want me to do it?).
--Tony
Vincent Furia wrote:
> Before I posted to all this to the web site. I just wanted to respond
> to Tony's input and questions and make sure no one else has anything
> else to say. If not I'll try to get this up on geeklog.net tomorrow.
> I'll embed furhter comments in Tony's email below:
>
> Tony Bibbs wrote:
>
>> Vinny, I think I'm right on with you on the ACL system. However, one
>> point of disagreement is that notion you support that EDIT + ADMIN =
>> OWNER. That isn't true, we should track the creator of the item as
>> the owner. Ok, wait, now that I actually read the SQL you gave, you do
>> have a uid field so I have to assume you are tracking it as I
>> suggested. Never mind ;-)
>>
> I think that "author" (the original creator of the item) should be
> stored by the item along with any other information. My reference to
> OWNER above is more like being the owner of a file under unix. The
> owner has a large amount of control over the file. The big difference
> is that this ACL scheme could support multiple owners for a single item.
>
>> Now, to adequately address the real possibility of having multiple
>> ACL's let me give a high level objet model:
>>
>> ACL_Factory: Class that creates ACL libraries on the fly. The
>> specific ACL system to use is determined by a config.php setting. All
>> this object does is instantiate the right ACL system and returns it.
>
> This might be over kill, a simple configuration variable pointing to the
> version of BaseACL you wish to use would probably be sufficient. But if
> you'd prefer to go this I don't see any obsticles.
>
>>
>> BaseACL: Abstract class (not instantiated directly) that all ACL
>> systems inherit from. The methods here would be similar to the ones
>> found in GL 1.3.x's lib-security.php (i.e. getUserGroups, inGroup,
>> hasAccess, getUserPermissions, etc).
>
> Always a good idea in OOP programming.
>
>>
>> Default_ACL: This extends BaseACL by implementing the system that
>> Vinny is talking about.
>
> Cool.
>
>>
>> For those who care, using the factory design pattern now lets you
>> implement any ACL system All it has to do is inherit from BaseACL.
>> The data model vinny is proposing seems to me to be generic enough to
>> handle any ACL system. Only thing I am fuzzy on is how you plan on
>> tying people to groups and groups to groups? The same way as 1.3.x does?
>
>
> I was under the impression that the A&A module would handle getting the
> user and group info, however and where ever they may be stored. For
> whichever parts I'm wrong on this, current 1.3.x handling of group
> membership would be sufficient. I might add that a well though out set
> of access rights would mean we could get rid of about 75% of the 1.3.x
> "rights". The remaining rights (such as story.submit, comment.delete,
> etc) could be considered items under ACL control.
>
>>
>> --Tony
>>
>>
>
> --Vinny
>
> _______________________________________________
> geeklog-devel mailing list
> geeklog-devel at lists.geeklog.net
> http://lists.geeklog.net/listinfo/geeklog-devel
More information about the geeklog-devel
mailing list