Am 16.04.2006 um 17:38 schrieb Alec Thomas:
On Sun, Apr 16, 2006 at 04:34:06PM +0200, Christian Boos wrote:
Do we really need to interpret `resource=None` as
"indicating that action can be applied to any resource." ?
Very true, this was an auto-pilot moment I think; simply copied the
code
over from the previous patch. I've removed it and uploaded a new
patch.
Then, for the "resource" itself, I think we should pass the "type"
information as well as the "id" only. Relying on the action to
decide what kind of resource to we handle seems a bit kludgy.
I see your point, though my reasoning was that the type is implicit in
the permission. However I guess we already have 'meta' permissions
like
TRAC_ADMIN, so maybe it won't be as implicit in the future.
How about passing the resource *object*, e.g. the Ticket or WikiPage
instance?
The current permission system indeed combines resource-type and
action... if we start adding actual resources/objects to the
permission system, then the resource-type part should be removed,
because it's (in theory, at least) part of the resource specification.
Meta permissions and groups should IMHO be replaced by a recursive
role system. And the terminology needs a good cleanup :-P
This stuff of course requires more work than what your patch does,
which is part of the reason why we've been postponing this whole
story to after 1.0. Still, I'd be in favor of you creating a sandbox
branch for this work (but only if it doesn't distract you from the
workflow work too much ;-)
In the future, those resources could even know a bit about
themselves,
and for resource based permission, we could write things like:
obj.has_permission('WIKI_VIEW')
which would translate into:
def has_permission(action):
self.req.perm.has_permission(action, self.type, self.id)
Making model objects aware of web-layer stuff... not exactly my idea
of a clean design ;-)
I'd prefer something like:
if WikiPage.VIEW in req.perm[page]:
for checking a permission on a specific resource, or:
if WikiPage.VIEW in req.perm:
for checking a permission "in general".
And in a context where the request object isn't available, the "perm"
object needs to be created with the appropriate credentials.
Cheers,
Chris
--
Christopher Lenz
cmlenz at gmx.de
http://www.cmlenz.net/
_______________________________________________
Trac-dev mailing list
[email protected]
http://lists.edgewall.com/mailman/listinfo/trac-dev
