Hi Michael, o.k., I will make the ACL Sematics switchable. regards Eckehard
-----Original Message----- From: Michael Smith [mailto:msmith@;xn.com.au] Sent: Monday, October 28, 2002 2:28 AM To: Slide Developers Mailing List Subject: Re: ACL sematic changed "Pill, Juergen" wrote: > > Hi Sliders, > > Because of currently the implemented ACL semantic brings up some great > problems in usage and contains some inconsistencies, I added the planned > changes in the ACL standard for chapter 6.1.2 in advance to slide. Now slide > implements the ACL semantic: > > Dav:all-grant-before-any-deny: The ACEs are evaluated in the order in which > they appear in the ACL, until all privileges needed for the request have > been granted. If an evaluated ACE denies a privilege needed for the request, > the request MUST fail If all ACEs have been evaluated without the user being > granted all privileges needed for the request, the request MUST fail. An > example is the NT file system. > > !!!!! So be careful, the ACL semantic changed !!!! Now the order of the ACEs > in an ACL is relevant > > regards > Eckehard > This sounds like a pretty major problem - whilst I agree that the old ACL semantics were a pain to use and had various other problems, this new way simply cannot work without store-layer changes. The slide store interface does NOT guarantee (and in practice does NOT provide) guaranteed ordering to the ACEs in an ACL. So essentially, with this change, the evaluation of an ACL is undefined if there is more than one ACE. If this is required (which is fine in principle), it is absolutely critical that the store interface be changed _first_, and that this be implemented in at least all the reference stores. Michael -- To unsubscribe, e-mail: <mailto:slide-dev-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:slide-dev-help@;jakarta.apache.org> -- To unsubscribe, e-mail: <mailto:slide-dev-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:slide-dev-help@;jakarta.apache.org>
