Forum OpenACS Development: Re: Ideas for using groups to minimize custom permission

Collapse
10: Re: Ideas for using groups to minimize custom permission (response to 8)
Posted by Tom Jackson on 03/31/04 06:07 PM

Lars, Huh? You mean there isn't a handy pl procedure to do it, not that the data model doesn't support these three 'grant types', right? Writing this procedure would be just as easy or difficult with your proposed model, wouldn't it? I'm not sure what the extra columns would accomplish other than making it impossible to join (easily) against the table. I think since Don's recent reorganization of the base tables you can do a join to do bulk permission checks, although I haven't tried it myself.

Collapse
11: Re: Ideas for using groups to minimize custom permission (response to 10)
Posted by Lars Pind on 04/01/04 11:56 AM
Ok, I think I complicated matters unnecessarily by mentioning the single-row optimization. Forget about that, and let's concentrate on one thing at a time.

Requirement:
------------

- I want to grant 'admin' on all news items to user x.

Dave's Design:
--------------

Create a site-wide "News" group, etc. -- see above.

My conceptual design proposal:
------------------------------

Instead of thinking of this as granting privs on *packages* think about it as granting privs on *objects*.

What you want to do is grant 'admin' on all objects of type 'news_items'.

One possible implementations:
-----------------------------

Add a column 'object_type' to the acs_permissions table, which defaults to 'acs_object', menaning this permission is granted on all object types.

Change the permissions check procs/views to also check whether the object in question is a subtype of the value of object_type column in the acs_permissions table.

... there are other possible implementations, if you agree with me on the conceptual design.

Comments?