> AccessControlManager to determine if the ACE is >enabled for the current user and the current time This was just an example.
E.g.: - a project has a project lead assigned ( probably through a "(weak) ref" property ). A project lead of a project may view all bills of a project - a teamleader may view the time recordings of his assigned team members - an employee may be assigned to a project (i.e. he/she has responsibility for the project). If so, and only then may he/she view/edit the project ... -----Ursprüngliche Nachricht----- Von: Ian Boston [mailto:[email protected]] Im Auftrag von Ian Boston Gesendet: Montag, 8. November 2010 15:04 An: [email protected] Betreff: Re: Scripted ACLs/Authorization We have been using exrta properties on ACE's to allow the AccessControlManager to determine if the ACE is enabled for the current user and the current time. Ian On 8 Nov 2010, at 14:01, Clemens Wyss wrote: > Often the basic ACL features are not sufficient to represent all > authorization needs > (http://dev.day.com/content/ddc/blog/2009/01/theaclisdead.html ). > > Wouldn't it be nice if we could define our authorization needs in an > "Authorization DSL" ( in Groovy or jRuby ;-) ) which then could be applied to > a node, or even better a node type? > > What about a mixin type: > > [sling:ScriptedACL] > mixin > + sling:aclScript protected mandatory > > The aclScript would be written in the Authorization DSL. Predefined variables > would provide access to the current node, session, etc > > "Dynamic ACL" > (http://confluence.sakaiproject.org/display/KERNDOC/KERN-629+Time+base+ACL) > would become a subset of this feature as this could be solved alike. > > I agree, there are still many open points such as: > - who should execute these scripts? > - when should these scripts be executed? > - performance implications? > > WDYT?
