Re: PolicyManager.getPolicies... ideas

[Edith Chevrier]

Hi, i have the same troubles and i would like to change the Access Controller before we release lenya-1.4 as follow: The ac rights are inherited but it is possible to stop the inheritence from one node, by "removing" the right. (adding the right with the method:remove) The ac rights for a node are computed from the rights given to the node and its ancestors (Inheritence). The rights are ordered and the right for a node/identity/role is the first maching right found, beginning from the bottom of the credentials' list in the policy and the ancestor-and-self axe. For example: Users    : lenya, alice, levi Group   : company (lenya, alice, levi)                 trainee   (lenya, levi) Tree and Rights: - *company * | ( <policy order:1 |        group:world |        role:visit |        method:add/>) | |-*intern*---------------------------------- |-*public* | (<policy order:1 |       group:world |       role:visit |       method:remove/> | <policy order:2 |       group:company |       role:edit |       method:add/>) |       |-*employees* | (<policy order:1 |       group:trainee |       role:edit |       method:remove/> |  <policy order:2 |       user:lenya |       role:edit |       method:add/>) |  |-*lenya*----------------------------------- |-*alice*------------------------------------- |-*levi* (<policy order:1       group:company       role:edit       method:remove/> <policy order:2       user:lenya       role:edit       method:add/>)    ( <policy order:1       group:company       role:visit       method:remove/>   <policy order:2       user:alice       role:edit       method:add/>)  ( <policy order:1       group:company       role:visit       method:remove/>   <policy order:2       user:levi       role:edit       method:add/>)   It results: - intern can be edited by all users - employees can be edited by all users of the company, with the exception of the trainees, but the trainee lenya can edit it. - lenya can be edited only by lenya, .... At the same time i will try to simplified the Access Control API and make it more flexible. Like for the workflow i will save the ac rights in the meta data of the document. So there will be no more policies'file. WDOT? Michael Ralston wrote: I'm having some trouble with the inflexibility of Lenya's Policy inheritence system. The way a policy can only grant access plus the fact all policies inherit from parent pages makes it difficult to control access to resources. .... While I'm on the topic of policies... What is the difference between a subtree policy and a url policy and why should both exist? subtree policies are inherited, url policy are defined only for an url. ATM lenya can create only subtree policy file or only url policy file. Not so flexible ... Edith Michael R --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Edith Chevrier Wyona Inc. - Open Source Content Management - Apache Lenya http://wyona.com http://lenya.apache.org [EMAIL PROTECTED] [EMAIL PROTECTED]