This is an automated notification sent by LCG Savannah.
It relates to:
task #10595, project CDS Invenio
==============================================================================
OVERVIEW of task #10595:
==============================================================================
URL:
<http://savannah.cern.ch/task/?10595>
Summary: Propagate collection restriction to children
collections
Project: CDS Invenio
Submitted by: skaplun
Submitted on: 2009-07-27 14:28
Should Start On: 2009-07-27 00:00
Should be Finished on: 2009-07-27 00:00
Category: WebSearch
Priority: 5 - Normal
Status: None
Privacy: Public
Percent Complete: 0%
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Effort: 2.00
_______________________________________________________
Currently a collection can be restricted by creating an authorization for the
viewrestrcoll WebAccess action with collection parameter set to the collection
name.
During search_engine.py load the restrictions are cached and for each
collection the system knows immediately whether it's restricted or not.
However the restriction is not propagated to child collections.
In particular the natural behaviour expected by a tipical collection
administrator would be that a restriction is automatically propagated to all
the real child collections, and if a child collection happens to already be
restricted, the two (or recursively more) restriction should be put in AND,
i.e. a user should be authorized by all restriction in order to access the
records.
In order to implement this we could improve the
search_engine.RestrictedCollectionDataCacher via a queue with this
algorithm.
1) all the explicitly restricted collection are read from the db.
2) the cache is populated with their simple name
3) all the real children of these collection are put in a queue toghether
with the restriction of the parent.
4) a collection is taken from the queue with the corresponding parent
restriction.
5) the collection restriction (i.e. the father restriction plus eventually
the collection restriction itself) is cached
6) all the children are put in the queue with the corresponding calculated
restriction
7) back to 4)
When checking if a user is authorized for a collection (i.e. everywhere
acc_authorize_action(viewrestrcoll) is used), this should be expanded to
checking all the restrictions, from the father to the child, by exploiting
the cache.
_______________________________________________________
Carbon-Copy List:
CC Address | Comment
------------------------------------+-----------------------------
2195 | -SUB-
==============================================================================
This item URL is:
<http://savannah.cern.ch/task/?10595>
_______________________________________________
Message sent via/by LCG Savannah
http://savannah.cern.ch/
