[geeklog-devel] For my friend, Vinny

Tony Bibbs tony at tonybibbs.com
Thu May 29 18:25:21 EDT 2008 

Yeah, that's pretty much where I was going with it.  We've been talking about this pretty much all day and we think while this complexity is nice we need to consider using three basic levels of security checking:

1) Blog: Single user blogging about their own stuff.  They never intend to have their site act in any other capacity so no need to complicate the use of ACLs.
2) Community: This would essentially work just like 1.x
3) Enterprise: This would come with a full set of ACLs checks per our current discussion.

I'm not sure about the need for both 2 and 3 but I do feel strongly about needing #1.  In fact Michael suggested that during the install we should ask how they intend to use the software to help them pick the right path.

Thoughts?

--Tony

----- Original Message ----
From: Vincent Furia <vfuria at gmail.com>
To: Geeklog Development <geeklog-devel at lists.geeklog.net>
Sent: Thursday, May 29, 2008 5:17:01 PM
Subject: Re: [geeklog-devel] For my friend, Vinny

Like in GL 1.4.x, you'd have to resolve the total set of group membership before doing the query.  Since you're caching credentials anyway, you could cache the total group membership as well.  So, in your example, a user in group 3 would have a total group membership of 3, B, 2, 1, A.  The the query would check for rights for all those groups, and "and" the results together (getting the highest level of access granted to those groups).

There a couple of levels where we can cache this data.  It probably makes sense to keep it denormalized in the user table or the group table and update all users when a group memberships are modified.  It can also be cached in the session, but then you run the risk of updating groups membership not being recognized until the session expires.

Let me know if additional/better explanation is needed.  I'm not sure I did all that good a job of describing what I meant.

-Vinny

On Thu, May 29, 2008 at 2:57 PM, Tony Bibbs <tony at tonybibbs.com> wrote:
Lol, so we are getting serious for the GL2 alpha and the ACL stuff is mostly done minus one real PITA.  For reference there's been this page:

http://wiki.geeklog.net/wiki/index.php/Using_ACLsG2

So we've done some incarnation of everything there minus the last section called:

"Selecting Multiple Items Based on Permissions"

Any chance you have the "how" part of that?  My brain is hurting.  Why:

Groups can be tied in a complex web (not necessarily hierarchical).  For example

Group B belongs to Group A
Group C belongs to Group B
Group 2 belongs to Group 1
Group 3 belongs to Group 2
Group 3 belongs to Group B

That's a worst case scenario but me-thinks it'd be awful hard to do in SQL.

--Tony


_______________________________________________
geeklog-devel mailing list
geeklog-devel at lists.geeklog.net
http://eight.pairlist.net/mailman/listinfo/geeklog-devel





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist8.pair.net/pipermail/geeklog-devel/attachments/20080529/5f0e8565/attachment.html>

More information about the geeklog-devel mailing list