[geeklog-devel] ACL follow-up

Dwight Trumbower dwight at trumbower.com
Mon Jun 23 17:07:31 EDT 2003


I should be able to do it. Wednesday night I hope to be geeklog night.



At 03:46 PM 6/23/2003, you wrote:
>Right, when you log in, all the groups and permissions you have would go 
>back to the calling application and stored in a user object that is 
>persisted in the session.  That said, the SEC_inGroup, SEC_hasAccess type 
>functions are actually part of the A&A client only.  The server is only 
>concerned with returning the values for a given user on a given application.
>
>I think we are on the same page here.  I will start making the 
>changes.  Dwight, you may want to update the datamodels accordingly (or do 
>you want me to do it?).
>
>--Tony
>
>Vincent Furia wrote:
>>Before I posted to all this to the web site.  I just wanted to respond to 
>>Tony's input and questions and make sure no one else has anything else to 
>>say.  If not I'll try to get this up on geeklog.net tomorrow. I'll embed 
>>furhter comments in Tony's email below:
>>Tony Bibbs wrote:
>>
>>>Vinny, I think I'm right on with you on the ACL system.  However, one 
>>>point of disagreement is that notion you support that EDIT + ADMIN = 
>>>OWNER.  That isn't true, we should track the creator of the item as the 
>>>owner. Ok, wait, now that I actually read the SQL you gave, you do have 
>>>a uid field so I have to assume you are tracking it as I suggested. 
>>>Never mind ;-)
>>I think that "author" (the original creator of the item) should be stored 
>>by the item along with any other information.  My reference to OWNER 
>>above is more like being the owner of a file under unix.  The owner has a 
>>large amount of control over the file.  The big difference is that this 
>>ACL scheme could support multiple owners for a single item.
>>
>>>Now, to adequately address the real possibility of having multiple ACL's 
>>>let me give a high level objet model:
>>>
>>>ACL_Factory: Class that creates ACL libraries on the fly.  The specific 
>>>ACL system to use is determined by a config.php setting.  All this 
>>>object does is instantiate the right ACL system and returns it.
>>This might be over kill, a simple configuration variable pointing to the 
>>version of BaseACL you wish to use would probably be sufficient.  But if 
>>you'd prefer to go this I don't see any obsticles.
>>
>>>
>>>BaseACL: Abstract class (not instantiated directly) that all ACL systems 
>>>inherit from.  The methods here would be similar to the ones found in GL 
>>>1.3.x's lib-security.php (i.e. getUserGroups, inGroup, hasAccess, 
>>>getUserPermissions, etc).
>>Always a good idea in OOP programming.
>>
>>>
>>>Default_ACL: This extends BaseACL by implementing the system that Vinny 
>>>is talking about.
>>Cool.
>>
>>>
>>>For those who care, using the factory design pattern now lets you 
>>>implement any ACL system  All it has to do is inherit from BaseACL.
>>>The data model vinny is proposing seems to me to be generic enough to 
>>>handle any ACL system.  Only thing I am fuzzy on is how you plan on 
>>>tying people to groups and groups to groups?  The same way as 1.3.x does?
>>
>>I was under the impression that the A&A module would handle getting the 
>>user and group info, however and where ever they may be stored.  For 
>>whichever parts I'm wrong on this, current 1.3.x handling of group 
>>membership would be sufficient.  I might add that a well though out set 
>>of access rights would mean we could get rid of about 75% of the 1.3.x 
>>"rights".  The remaining rights (such as story.submit, comment.delete, 
>>etc) could be considered items under ACL control.
>>
>>>
>>>--Tony
>>>
>>--Vinny
>>_______________________________________________
>>geeklog-devel mailing list
>>geeklog-devel at lists.geeklog.net
>>http://lists.geeklog.net/listinfo/geeklog-devel
>
>_______________________________________________
>geeklog-devel mailing list
>geeklog-devel at lists.geeklog.net
>http://lists.geeklog.net/listinfo/geeklog-devel
>




More information about the geeklog-devel mailing list