Jörn Nettingsmeier schrieb:
[EMAIL PROTECTED] wrote:
[...]
------- Additional Comments From [EMAIL PROTECTED] 2007-11-21 03:17
------- I introduced a method Role.isAssignable() and a role
"sitemanager" with a group of the same name. All users have to update
their policies accordingly.
Please test and re-open if this doesn't resolve the issue. TIA!
hmm. i don't like this patch at this point in tíme.
if i understand richard correctly, he has been handing out the admin
role to users, thinking that they are limited to the subtree they are
given. but this opens the hole that a user can browse there and then
call admin usecases to escalate his/her privileges. if this is correct,
read on, otherwise i've misunderstood something, so ignore me.
i think this is basically a documentation bug. what's needed for this
usage scenario is a new role like you introduced, but this is something
that users can do themselves, tailored to their needs. why do we need a
new method (e.g. a *fundamental* change to the AC API),
The system can't allow the sitemanager users to assign admin roles to
themselves.
and why should everyone have to update their policies during code freeze?
To avoid this, we could add some code that checks the existing policies
for non-assignable roles and removes them when they are loaded.
sorry if i've had a lot of criticism to offer lately, and not much help,
You're kidding :)
but i'm drowning in work... i think we should tie up what we have and
not get into any new things that are not really bugfixes.
I gave it some thoughts over the night and didn't find a better
solution, and I felt rather urged to fix the blocker so that we could
prepare the second RC. But of course you are right that we have to be
careful, and I'm glad that you started this discussion. Thanks! :)
-- Andreas
--
Andreas Hartmann, CTO
BeCompany GmbH
http://www.becompany.ch
Tel.: +41 (0) 43 818 57 01
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
