Sounds good. Regarding the recording of permision changes, you will have to create a new db table since you can't create files in the stax env.
D. On Wed, Oct 28, 2009 at 4:34 PM, Vassil Dichev <[email protected]> wrote: >> This patch is committed and deployed on stax. > > OK, I took a look at the "delete user" patch. It does what's defined > in the issue, but I intend to correct the following deficiencies: > > * there's no check on the server side whether I am an administrator > for the pool I want to delete a user from. This means that I could > conceivably forge a request with any pool id and delete a user from a > pool I'm not authorized to administer > > * eventually this has to be implemented in RestAPI as well. This means > that AccessPoolMgr is not the right place for this method, since > there's going to be code duplication. This is something we want to > avoid as it will make maintenance harder. Note that there's a > duplication of the exact same query in Privilege already, since it > needs to do the same thing when you demote a user's rights! > > * it would be desirable to have some sort of history tracking of > privilege changes, so we want to have the code more flexible in order > to do this easiear. If deleting a permission is represented by another > status type- NoPermission (as I've hinted before), we could implement > this easily by having for instance a timestamp field indicating when > the permission was activated. > > Still, there's a lot going on in this small bit of code: > - Lift binding is used > - The lift mapper queries the DB > - Interaction between actors using messages > > Given that, I'd say the patch is a good start for a complicated task like > this. >
