Hi,
On Fri, Oct 5, 2018 at 2:47 PM Jason E Bailey <j...@apache.org> wrote:
> ...1. Each resource provider, if it supports security, should be responsible
> for security...
I think there are misunderstandings in this thread about what we're
trying to achieve.
Radu, correct me if I'm wrong but I think the only aspect of your
proposal that we need to agree upon right now is to create a service
that provides an API like
/** Throw a PermissionDeniedException if any of the requested
permissions is not granted
* in the context of the supplied ResourceResolver which points to
a specific user */
void checkAllPermissions(
ResourceResolver context,
String ...requestedPermission)
throws PermissionDeniedException;
The goal being to define permissions for things which are not content
- like letting a specific user execute any code that's tied to a
particular resource type, without having to implement checks in all
the affected code and scripts.
How these permissions are configured and evaluated is an
implementation detail that we can discuss separately.
I think Radu is proposing to keep this API internal to the servlets
resolver as we don't see a need for it outside of that for now.
Can we agree on this? If yes the remaining aspects can be addressed
separately in more specific discussions.
-Bertrand
