On 04/05/2013 02:46 PM, Denis Gervalle wrote: > Hi devs, > > While introducing the new security module, we have added a new right named > "creator", only applicable at document level, it is automatically applied > on documents for their creator. This right is not really checked for > itself, but it imply the delete right with a tie resolution policy of > allow, and a inheritance policy of not deniable. This give a document > creator the right to delete the document whatever other policies could say > about him. > > Since having only delete right on a document does not seems really logical, > I am wondering if it would not be good to make the creator right also imply > the view, and the edit right. This would give to document creators > consistant minimal right on their documents, what ever the policy of the > wiki is. > > WDYT ? >
Hm, I don't really like this. "creator" doesn't sound like a right to me. When speaking about rights in Real Words, you would say that "X has the right to `view', `edit', and `creator' on this page". And that doesn't sound quite English to me. I was envisioning "creator" not as a special right, but as a special username, like XWiki.XWikiGuest used to be. The advantage of a "creator" pseudo role is that we can set rights at different levels, so for example we can say that in the `XWiki' space (or `Users' at a later time), creators should be allowed to edit and delete their documents (which means their profiles), and this would remove the need to always add two rights objects on their profiles. It also allows to globally allow or disallow the delete right to creators. Why hard-code the fact that document creators are allowed to delete their own documents? If we want to ensure non-repudiation for user's actions it's mandatory not to be allowed to delete documents. The main disadvantage is that there's another special name that must be processed securely (i.e. don't confuse creator rights with the rights for a user named creator). -- Sergiu Dumitriu http://purl.org/net/sergiu _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
