PolicyManager.getPolicies... ideas

Wed, 05 Jul 2006 17:20:03 -0700

I'm having some trouble with the inflexibility of Lenya's Policy inheritence system. The way a policy can only grant access plus the fact all policies inherit from parent pages makes it difficult to control access to resources. 

I notice in FilePolicyManager the following code...
// The live area should be restrictive and will use the policy belonging 
       // to self-or-ancestor
       if (url.startsWith("/live")) {
           while (url.indexOf("/") >= 0) {
               policy = buildSubtreePolicy(controller, url + "/");
               policies.add(policy);
               if (!policy.isEmpty()) {
                   url = "";
               } else {
                   url = url.replaceFirst("/[\\w\\-\\.\\_\\~]*$", "");
               }
           }
       } else {
           String[] directories = url.split("/");
           url = "";

           for (int i = 0; i < directories.length; i++) {
               url += directories[i] + "/";
               policy = buildSubtreePolicy(controller, url);
               policies.add(policy);
           }
       }
Seems a bit strange to hard code that the 'live' area goes up the tree until it finds a policy which isn't empty then stops, while all other areas add all policies all the way up the tree.
I propose something slightly different, first the Policy interface would need the following added: 
   /**
    * Returns if this policy should include policies of parent nodes
    *
    * @return A boolean value
    */
   boolean getDoesInherit();

   /**
    * Sets whether this policy inherits from parent node
    *
    * @param inherit
    *         boolean
    */
   void setDoesInherit(boolean inherit);

Then the PolicyManager.getPolicies could behave like this:
       while (url.lastIndexOf("/") >= 0) {
           policy=buildSubtreePolicy(controller,url);
           policies.add(policy);
           if (!policy.getDoesInherit()) {
// if this policy doesn't inherit from parent nodes then return now 
               return policies;
           }
           url=url.substring(0,url.lastIndexOf("/"));
       }
       return policies;
I believe this is more flexible, it can handle the way 'live' is working in the current code, and also allow the authoring area to have policies which don't inherit all the way up the tree.
While I'm on the topic of policies... What is the difference between a subtree policy and a url policy and why should both exist? 

Michael R



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to