Forum OpenACS Development: Re: Best Practices for permissions, straw man

25: Re: Best Practices for permissions, straw man (response to 1)

Posted by Don Baccus on 12/09/03 09:17 PM

# For functions that create records, change records, or delete records, test for the "create" privilege.
# For functions that alter or delete records that belong to other people, check for the "write" privilege.

Joel, Dave's modifcation above already addresses my concern with the above but I want to make a point to you in order to make sure you understand why the above is not a good idea.

The notion of the permission system is that I can take a party_id, object_id, and permission and check without any additional effort whatsoever.

In your suggested practices, you suggest we check a different permission for the "delete" action depending on whether or not the object "belongs" to the person doing it or not. This breaks a fundamental design element of the permissions system, because you have to check the history of the object then check for one of two permissions. This is a big no-no.

Of course in addition there is already a "delete" permission and we should continue to make use of it, I think, in order to be consistent with existing usage.

Tom, I agree with Dave regarding roles. And I don't see how you end up with a "forums_create" privilege on a photo album. Why would the forums package grant "forums_create" on an album??? How would it even know of the existence of photo-album?

(of course anachronisms like forums_create need to go away, hopefully in 5.1, another of my pet projects that have been on the back burner...)

26: Re: Best Practices for permissions, straw man (response to 25)

Posted by Tom Jackson on 12/09/03 10:10 PM

Site wide admins, for instance, have every privilege on every object. If 'forum_create' is a privilege, the site wide admins have that privilege on every object. It doesn't make sense, but that is join magic at work.

I've pointed out before that roles are needed for fine grain control of what users can do to an object. A rel_segment is not a role (IMO), just a container for who can play a role. The role is defined in the UI. Even if you go to the trouble of granting 'write' on object '1' to a rel_segment, this doesn't define or control what users who are members of the rel_segment can do to the object.

As an example, say we have an news application, for simplicity, just one instance. We create a group G, with rel_segments 'writer_rel', 'editor_rel', 'publisher_rel'. If a user has a writer_rel to the group G, they can create new 'news' objects. Writers and Editors can make changes, but only Publishers can make the news go live.

If you have two instances of the news package, you might write it so that new news items have the context_id set to the package, and assign permissions on the package_id of the news package (that is assign read, write, admin to users on the package_id), not on the relational segments. So that even though all Writers, Editors, Publishers might have the 'write' permission on all the news items, each can only do certain things to the items.