Hi Alexander,
In data lunedì, 20 agosto 2012 14.48:27, Alexander Wagner ha scritto:
> Guessing that there were some holidays involved,
Indeed!
> > For some reasons we need to restrict access to fulltext
> > files after initial upload and have to verify first if we
> > can allow free access. I found that I can accomplish this by
> > using the $r subfield of fft e.g. by means of
> >
> > <datafield tag="FFT" ind1=" " ind2=" ">
> > <subfield code="a">/tmp/arwagner/fulltext.pdf</subfield>
> > <subfield code="r">firerole:allow groups 'InstitutesID'
> > allow groups 'STAFF'
> > </subfield>
> > </datafield>
> >
> > to give access to members of the group 'InstitutesID' and
> > members of the group 'STAFF'. However, it would be more
> > convenient from an administrators point of view to actually
> > (re-)use an already existing role instead of copying it
> > here, and indeed I can accomplish this by
> >
> > <datafield tag="FFT" ind1=" " ind2=" ">
> > <subfield code="a">/tmp/arwagner/fulltext.pdf</subfield>
> > <subfield code="r">role: 'Institutes-Role-ID'</subfield>
> > </datafield>
> >
> > However, as far as I can see, it is not possible to have two
> > roles here, nor can I combine this with the "allow groups
> > 'STAFF'" rule mentioned in the first example.
That's exact. If you go for role/firerole/group/email etc. only one value can
be currently specified.
> > Also prefixing
> > with "firerole:" like
> >
> > <datafield tag="FFT" ind1=" " ind2=" ">
> > <subfield code="a">/tmp/arwagner/fulltext.pdf</subfield>
> > <subfield code="r">role: 'Institutes-Role-ID'
> > firerole:allow groups 'STAFF'
> > </subfield>
> > </datafield>
> >
> > doesnt work.
Yep. The involved parser does not expect this situation.
> > Alternatively, I could set up a new role by combining our
> > Institute-Role-ID with hgfstaff (matching 'STAFF' above),
> > but I do not see a way to accomplish this in firerole
> > language.
Unfortunately, since Firerole language is used mainly to directly define
roles, it is not possible to use roles as rules, because this might lead to
definition loop (and would actually be quite complex to implement in an
efficient way)..
> > Could it be, that this is just not possible? Or do I just
> > miss the obvious?
Indeed, what you are aiming at is currently not possible. The first solution,
i.e. to have one firerole rule:
[...]
firerole: allow groups 'InstitutesID'
allow groups 'STAFF'
[...]
is, currently the most flexible one. Note that you can also put it in one line
as in:
firerole: allow groups 'InstitutesID','STAFF'
However it should be not too difficult to extend the current parser for file
restriction to go on with the interpretation and accept strings such us the
above:
[...]
role: 'Institutes-Role-ID'
firerole:allow groups 'STAFF'
[...]
I'll ticketize it.
Cheers!
Sam
--
Samuele Kaplun
Invenio Developer ** <http://invenio-software.org/>
