On 3 July 2010 23:04, Luciano Resende <[email protected]> wrote: > I was looking into the proposed Repository Structure [1] for Roles, > Permissions and other user related stuff, and I have couple questions > : > > - I noticed we defined couple permissions such as : deleteOwnAlbum, > deleteOwnGroupRole, manageOwnGroupRole, addOwnImagesToOwnAlbum, > editOwnAlbumDescription. What I found a little awkward is that, if I'm > the owner of the album, is there really any scenario where I wouldn't > be allowed to "manage" my album ? > > - As for couple other roles : deleteOtherAlbum, deleteOthersGroupRole, > viewImagesOnOthersAlbum, addOwnImagesToOthersAlbum, > deleteImagesFromOthersAlbum, editOthersAlbumDescription. This also > seems strange, as it seems that once i get "deleteOtherAlbum" I would > have permission to delete any album that I don't own, which I think > the scenario should be more like, a specific album owner would give a > specific user the permission to "remove album" which would only work > on the scope to that specific album. > > Thoughts ? >
we can divide the Albums in to three major categories 1. your (owners) album - and what you can do in your album 2. others album - what permissions do you have on others album - in general 3. specific albums - and the special permissions to it So when it comes to your albums there is no need and no way to differentiate each of them and you will have same permissions. Some of those permissions are deleteOwnAlbum, addOwnImagesToOwnAlbum, editOwnAlbumDescription similarly for your groups (deleteOwnGroupRole, manageOwnGroupRole) I'm using different types of permissions for two reasons 1. Imagine a user have crated an album but due to his misconduct super admin decided not to allow him to add any further images, in this case the SuperAdmin can create a role with only viewImagesOnOwnAlbum permission and add him. 2. managing roles and managing albums can be separated 3. no need to hard code here I have divided the permissions as much as I can, so when creating the roles there wont be any restrictions. The "others album" concept is mainly used to reduce "per album" entries, this will facilitate roles like SuperAdmin and Moderator(can viewImagesOnOthersAlbum and deleteImagesFromOthersAlbum) and thirdly the per album based permissions are used ( viewImages, addImages,deleteImages, editAlbumDescription) when calculating the permissions for a user, first the general permissions (own and others) and then the specific album based permissions will be applied. By this approach mainly the roles like SuperAdmin and Moderator will only have very few entries than having 100 entries for all 100 albums in the repository, and by having all permissions at primitive level the flexibility to create different type of roles also increases . Suho > [1] > https://cwiki.apache.org/confluence/display/PHOTARKxWIKI/Repository+Structure > > -- > Luciano Resende > http://people.apache.org/~lresende > http://twitter.com/lresende1975 > http://lresende.blogspot.com/ >
