On Tuesday 20 November 2001 21:28, Ian Bicking wrote: > > > I think there needs to be more opportunities for abstraction in > > > the permission system. Also, a more declarative model might be > > > easier to manage. > > > > More declarative in what sense?? > > Well, the process to deal with ACLs is usually procedural -- when > something happens, you (or your script) go in and manipulate the > ACLs just so, to represent whatever happened. A more declarative > way would have permissions be more rule-based (where rules might > rely on data structures). So when you wanted to express an > abstract change of permissions -- like, uh... designers should be > able to edit any .tmpl files -- you would add a rule that would say > just that, as opposed to doing a chmod like operation. > > When you can express intentions, I think the result is much more > manageable. OTOH, it's easier for people to understand concrete > operations...
I agree in general. This is something we can come back to later ... after the authentification stuff is sorted out. > > I just mean for the hooks to be built-in. That would not require > > that everything have an owner. > > In the more general sense, you might want to have relations. A > person can "own" something, perhaps another person is the > "creator", or "manager", etc. I suppose that's what you were > thinking of as roles...? Ownership could just be another role. Yeah that's what I was thinking of (and wanting to avoid). Isn't this what Zope uses, or have I totally misunderstood it? > > > > Correct me if I'm wrong, but it seems that UserKit can't be > > > > used with non-servlet files. > > > > > > As far as I can tell UserKit has absolutely no web-based or > > > webkit-based assumptions. It is totally seperated. It also > > > doesn't address anything to do with permissions, just users. > > > It's quite minimal. > > > > Ok, then so the only way to use UserKit to manage permissions for > > non-servlet files would be to call it from the Application class > > like I was suggesting. > > I suppose -- but I don't really see how Application is necessary. > You can always just import the module and use it directly. Isn't > that good enough? I don't see what Application gives you that > plain modules don't -- they are both similarly global. But you can't 'import' when you're working with non-servlet files! How would you protect static content without using Application (or some funky path manipulations)? And now for something completely different: How about handling authentification at the adaptor (mod_webkit) stage? Not neccessarily authorization, just authentification. This would allow you to use the same system for content that sit outside WebKit. It would probably be more efficient as well. There's a few other manipulations of the CGI-vars that WebKit is doing right now that I think would be better handled at that stage as well. For example, making sure that the CGI vars IIS ignores are set correctly. Just an idea. Tavis _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
