I wanted to touch base with experienced people on a proposed solution -
am I missing something already in acegi?
Our data model requires most protected objects to have 2-3 GA
(cumulative) permissions for each object, e.g., one set of rights as a
professor at Wassamatta University, and another set of rights as a
professor of economics. The PM wants to have the core GA rights
assignable at runtime. I really, really want to avoid having to touch
all of the ACLs whenever he changes these assignments.
My current thought is to have a new table that provides core rights for
the GA (using a { sid, oid javatype, permissions } tuple) and a
unix-style 'umask' in the ACE. The actual permission would be the core
permissions less the umask. The umask would almost always be 0, meaning
the ACE uses whatever permissions are in the core table.
Two questions:
- is this the best approach to the problem? Or am I missing a feature
in acegi?
- in practice, is it better to write a new AclImpl that understands
umasks or a complex query that hides this at the db level so we can use
a standard BasePermission or CumulativePermission? We would still need
to track umask internally for editing purposes.
Bear
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
