Gonzalo A. Diethelm wrote:

>>I do prefer Module to Application, as Application
>>doesn't make me think "grouping".
>>
>>In Helm, we have both UserGroup and ProjectGroup entities
>>(ProjectGroups are probably near the equivalent of nested Scarab
>>Modules).
>>
>>Gonzalo, I haven't looked at the code yet, but from your description
>>don't see any interfaces for user or project groups (necessary for
>>finer grained permissioning).  Is there any particular reason not to
>>include interfaces for these things (preferably ones which do not have
>>to be used if the user's application does not need'em)?
>>
>
>What I called "Application" is what a Group is today in Turbine 2,
>and I believe it would be akin to your UserGroup.  I didn't think
>about adding ProjectGroup because there was no such thing in T2,
>and that was my starting point.  What would be the exact semantics
>for ProjectGroup?  Where does it fit in:
>
>   A Role has Permissions.
>   A User has Roles within a UserGroup.
>   A Session may o may not have a User.
>

In my application we have been using T2 "groups" as what I think you are 
referring to as ProjectGroups, instead of "groups" as methods to 
restrict access per application.   Under T2 I have deduced that this 
kind of scheme was the intent:

Permissions - read, write, delete, update...etc.
Roles - Admin (has read,write,delete, update); User ( read, update) and 
so on.
Group - Contact Database, Schedule, WebSite Mangement System.

So T2 was designed so there were roles that people can have under 
specific applications or "groups."  But, the ProjectGroup-ing arises 
when we not only have different applications, but these applications 
have different projects underneath them.  For example say I have a 
Project Managment application with several different projects in it. 
 Then we have:

Permissions - read, write, delete, update...etc.
Roles - Admin (has read,write,delete, update); User ( read, update) and 
so on.
Group (or Application) - Project Management, Contact Database.
ProjectGroup - Marketing Campaign for XXX, TV Ads for ABC Inc.

Then different people can have different permissions in different 
projects or no permissions in some projects.  This making sense at all? 
 But the problems don't end here I believe.  Because as has been said 
many times over there is not a one size fits-all security mechanism... 
Not all people are going to have projects, and not all people will want 
an application grouping mechanism.  Jetspeed is just one counter-example.

So I would just like to put my vote in for a pluggable architecture - 
rather a hookable architecture.  We could distribute a couple different 
security implementations - ClassicTurbine, Portlet Security, Project 
Security.  All we do is put hooks in the RunData object to the security 
system.  So then if I'm running the ClassicTurbine SecuritySystem I do 
(for lack of a better name I have chose SecuritySystem.  Its equivalent 
to the ACL Object in T2):

if (data.getSecuritySystem().hasPermission("read", "application"))...do 
something

But, If I had my project security system setup I would do:

if (data.getSecuritySystem().hasPermission("read", "application", 
"projectid"))...do something

Notice I am not promoting an interface that has a consistent way of 
checking for permissions across all implementations.  Each API is going 
to be different for each system.  I think the best way to go about it is 
to put hooks in the existing code to reference whatever security system 
we want.  So while the security system would be "pluggable", you can't 
readily replace one with the other unless you change your whole 
codebase.  This is because there are no defined methods to check for 
permissions in the SecuritySystem interface.  There is only a way to 
retrieve the SecuritySystem object.


I am very willing to help on this project, especially since I have to do 
something about it anyways for my application.  :)

- Dan Diephouse


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to