Do I get that correct, although a user doesn't have a 'AppPermission' to access, say the application front-end of the 'User Manager', he/she could still access and manipulate the graph through a script using the REST API?
IMO this is not correct. A front-end application could consist of different permissions, i.e. read/write access on a specific part of the main content graph, or can access and open the application front-end. With this, a user could get read/write access on a graph without the app front-end. Could also have both, App front-end access and graph CRUD permissions. But could not have just the App permission without having the permission to manipulate the graph. It's like a OSGI bundle that needs another bundle in order to properly work. -----Original Message----- From: Manuel Innerhofer [mailto:[email protected]] Sent: Montag, 22. März 2010 15:13 To: [email protected] Subject: Permission naming convention for using an application Hi all, Reto and I have discussed how to name permissions that gives a user permission to use an application front-end. This means even though the user has all permissions needed to use the functionality provided by the application (like modifying a graph etc.), she still can't access its front-end. We came up with the convention that the permission name should end with "AppPermission". For example the permission needed to access the script manager has the name "ScriptManagerAppPermission". Cheers, Manuel
