I just want to double check the code for FluxAction.isAuthorized() as its
a little obscure:
if (acl==null || ! acl.hasRole(fluxAdminRole))
{
isAuthorized = false;
}
else if(acl.hasPermission(fluxAdminRole))
{
isAuthorized = true;
}
this implies that the only authorized user must have the specific
role and permission for that role which are both equal to the same
string. The dual use of "fluxAdminRole" for two different semantics
(first as a role, then as a permission) is a little confusing.
Wouldn't it be sufficient to just test if permission is granted? Why
restrict user-admin to a specific role?
return (acl!=null) && (acl.hasPermission(fluxAdminPermission))
This would allow the initial turbine_root account to delegate the
admin_users permissions as it pleases (ie, create membership
moderators)
--
Gary Lawrence Murphy <[EMAIL PROTECTED]> TeleDynamics Communications Inc
Business Innovations Through Open Source Systems: http://www.teledyn.com
"Computers are useless. They can only give you answers."(Pablo Picasso)
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
