<quote who="Shane"> > Hi, > > Is it possible to "query" what permissions an "entity" has prior to > them trying to make a change or addition? In context, I'm writing an > app that has different levels of editing based on who you are / what > groups you're in etc. > >>From majority of examples I've seen this seems to be a try fail sort > of thing, try to edit, if it fails you report the error (usually no > permissions). It would be really handy to turn that around and query > the server first and give an interface to the user which only has > parts they can edit as editable - I could code in which groups have > access etc but then if I add extra groups to the ACL I'll need to > change code ... simply trying to modify every attribute then catching > / reporting failures or using this to work out what they can edit just > feels dirty and surely isn't very efficient - is there an alternative? > > TIA > Shane. >
This is more of an LDAP usage question, rather than about OpenLDAP software. You'd be better served by pinging: http://www.umich.edu/~dirsvcs/ldap/mailinglist.html Why not use roles/groups? As for "I could code in which groups have access etc but then if I add extra groups to the ACL I'll need to change code", this is just bad coding ;-) Have your code send a query for groups that are allowed to do things i.e. another entry with for an action/ACL, with groups as attributes that can perform these actions. Then do another query to check the users are in that group. Or do some & searches etc. Please shout all if I'm talking rubbish ;-) Thanks. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E [EMAIL PROTECTED] Open Source. Open Solutions(tm). http://www.suretecsystems.com/
