The DSpace authorization system is showing it's age and has several problems that have remained unaddressed. In my opinion the principle problem is that it does not recognize the difference between a role and a permission. Where a role is something like submitter, or administrator, and owner while permissions are the basic edit, update, delete primitives. If an eperson were granted the submitter role then it would also imply a set of basic permissions over some resources. This way the objects can check the primitive operations of access and the interface can allow users to operate with the larger concept of roles. What you are seeing is that that roles and permissions have been half way mixed into something called a resourcepolicy - which tries to be a permission system but has a some role concepts mixed in as well.
We could go on and talk about how one would like to improve the authorization system, but that's been discussed before. To answer you're question these columns are still needed because that is where DSpace determines who is allowed to submit or administrate a collection, and yes those epersons must also be granted the basic resource policies over those objects as well - so its best to avoid situations where they are out of sync. We are way too far along in this release to consider a database schema change of this magnitude. Most everyone I've talk too agrees that the authorization system needs to be re-designed from the group up, people complain about various problems from how hard it is to use, it's implementation, and model. However given all these complaints no one has ever taken the time to create a patch to fix it which really shows that while it may be a problem for users it's probably not that big of a problem. If you would like to undertake a project working on the authorization system for a future release I'm sure several developers would offer their opinions on how to design a new system. Scott-- On Feb 15, 2008, at 8:37 AM, Tom De Mulder wrote: > > Could any of the more involved developers tell me why the database > schema > for DSpace 1.5 still has "admin" and "submitter" columns in the > collection > table, when there is a ResourcePolicy table? In our experience, if the > former and latter disagree with each other, serious authz problems > occur; > it would be better if everything used the ResourcePolicy rather than > the > columns on the collection table. > > Any reason why they can't be dropped for this release? > > > Best, > > -- > Tom De Mulder <[EMAIL PROTECTED]> - Cambridge University Computing > Service > +44 1223 3 31843 - New Museums Site, Pembroke Street, Cambridge CB2 > 3QH > -> 15/02/2008 : The Moon is Waxing Gibbous (58% of Full) > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > DSpace-tech mailing list > DSpace- ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech
