On 22 Feb 2007, at 14:47, Olivier Grisel wrote:
Florent Guillaume a écrit :
The security spec doesn't give any semantics to hasPermission() on a
group of permissions. Both AND and OR could make sense depending
on the
cases. So a basic permission should always be used, and if you
need one
or the other semantic you should do hasPermission(doc, BROWSE) &&/||
hasPermission(READ_PROPERTIES).
We should really add a warning (and later an exception) in
hasPermission
when a group of permission is used.
Yes I agree that's why I put the note. But to achieve that, the
CoreSession need
a refactoring since the READ permission is checked all over the
place and I
decided to check it as well to remain consistent with the existing
implementation. I'll open a ticket to clean the permission checkings.
On the other hand, on a project here we're faced with the following
use case: a customer needs to have finer-grained properties access
than READ_PROPERTIES. So, for this project, we may have to subdivide
READ_PROPERTIES into READ_BASIC_PROPERTIES and READ_BLOB_PROPERTIES.
But we don't want to change all the code referring to READ_PROPERTIES
to choose one or the other.
So in fact the semantics of hasPermission on groups is clear: if
someGroup is perm1 + perm2, then
hasPermission(someGroup)
must be equivalent to
hasPermission(perm1) && hasPermission(perm2)
BTW I think that if we have READ_PROPERTIES, the doc should be
normally
in the breadcrumb, but if we only have BROWSE then it should be
displayed but without a link. I think that's the correct semantic
associated to these permissions.
Ok the problem is, to read dublincore.title you will probably need the
READ_PROPERTIES unless we add an new method like getDocumentTitle
(Ref docRef) to
the CoreSession interface or something similar.
Hm yeah... :( Somehow BROWSE should allow reading very basic info
about the doc, like its dublin core info...
Florent
--
Florent Guillaume, Director of R&D, Nuxeo
Open Source Enterprise Content Management (ECM)
http://www.nuxeo.com http://www.nuxeo.org +33 1 40 33 79 87
_______________________________________________
ECM mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm
