Oops, I see you referenced our docs on the subject, The scripts need to be executed on ACL evaluation since the user and time are input parameters. Since they are inside the AccessManager, the system session would be the one executing the scripts. Performance is an issue, but we normally deal with that with caching of the result against user.
Ian On 8 Nov 2010, at 14:03, Ian Boston wrote: > We have been using exrta properties on ACE's to allow the > AccessControlManager to determine if the ACE is enabled for the current user > and the current time. > > Ian > > On 8 Nov 2010, at 14:01, Clemens Wyss wrote: > >> Often the basic ACL features are not sufficient to represent all >> authorization needs >> (http://dev.day.com/content/ddc/blog/2009/01/theaclisdead.html ). >> >> Wouldn't it be nice if we could define our authorization needs in an >> "Authorization DSL" ( in Groovy or jRuby ;-) ) which then could be applied >> to a node, or even better a node type? >> >> What about a mixin type: >> >> [sling:ScriptedACL] >> mixin >> + sling:aclScript protected mandatory >> >> The aclScript would be written in the Authorization DSL. Predefined >> variables would provide access to the current node, session, etc >> >> "Dynamic ACL" >> (http://confluence.sakaiproject.org/display/KERNDOC/KERN-629+Time+base+ACL) >> would become a subset of this feature as this could be solved alike. >> >> I agree, there are still many open points such as: >> - who should execute these scripts? >> - when should these scripts be executed? >> - performance implications? >> >> WDYT? >
