Forum OpenACS Development: Groups, Parties, Persons Rels

Collapse
1: Groups, Parties, Persons Rels
Posted by Dave Bauer on 03/21/03 03:10 AM
I have found a discrepency between the documentation and the data model for groups. Specifically the Parties in OpenACS doc: https://openacs.org/doc/openacs-4/parties.html states that a group can be a component, or member of another group. This works nicely in theory, but the datamodel enforces a group->person relationship for membership_rel. So it is impossible to actually create a group structure this way.

Don noticed that if you have component groups, normally permissions granted to the object_one of a compoenent relationship are not also granted to the object_two. I think some people think of this as object_one is the parent group and object_two is a part of the parent_group. But if you grant permission to a relational segment composed of members of the parent_group members of all component groups are also granted permission. Now I guess in _all_ cases this is not what you need to happen.

It appears that those that wrote the documentation assumed you would use membership relationships between groups when the members of a member groups should not be members of the parent group.

Ok, now I am not sure what my question is. I need a way to grant permission to a top-level parent group, and let that permission be granted to members of the groups under it. I guess those would be components of that group.

It looks like some applications would not want to have this happen, and in that case they would use a membership_rel between the groups, if the data model supported this.

Should this be fixed? Is there another solution to my problem? I could create a relational segment of the members of the parent group, and take advantage of the apparent bug that Don saw. This would grant permission to the group and all the members of the component groups.

Maybe this is by design? Or possibly luck, that it solves a problem not solved by the basic groups datamodel as implemented.

Collapse
2: Re: Groups, Parties, Persons Rels (response to 1)
Posted by Don Baccus on 03/21/03 04:11 AM
I think you're misunderstanding my comments slightly, so let me see if I can understand.  I would like to rewrite the document once the dust settles on our first dotLRN release, in practice after Copenhagen ...

The bug isn't in the way groups and relational segments work.  The bug was in the fact that acs-subsite wrongly added a composition relationship to a child site's parent group.

1. A composition relationship between G1 and G2 says "G1 consistes of all [direct] members of G1 and all members of G2".  That's it.

2. If you add someone to G2 with a particular membership_rel type (read "role", say "admin_rel") they are added to G1 in the same type.

3. Let's say you have a relational segment called "G1 admins" in group G1 and one called "G2 admins"  in group G2, which consist of all the parties in their group with the admin_rel membership_rel ("role"), and that you give the "admin" privilege to those two relational segments.  Because of #2 above, anyone made an admin of G2 is an admin of G1.

Now in the subsite case, let "G1" be the main subsite group and "G2" be a child subsite group.  If you follow 1-2-3 above, you'll see that adding someone as an admin to the child subsite makes them an admin in the main subsite.  Oops!

But there's no bug in the groups datamodel.  The fix is simple: there shouldn't be a composition_rel between a subsite's group and its parent's group.  Then the 1-2-3 cascade above doesn't happen.  And that's what I've done in 4.6.2.

For your use, though, you *want* privileges to cascade, so a composition_rel should work for you, at least if I understand correctly from your note and our previous IRC chat.

Anyway ... does the above help make things clear?  Obviously when re-writing the docs I can ignore the acs-subsite bug, if the doc doesn't have to explain the bug it will be a lot simpler!  and given that the bug's fixed ...

Collapse
3: Re: Groups, Parties, Persons Rels (response to 1)
Posted by Dave Bauer on 03/21/03 04:32 AM
Don,

Ok.

Now I mostly understand.

THe issue you referred to inadvertantly granted admin to all memebers of a subsite, that is decidely bad.

I thought my composition_rels were correctly setup. So I will have to go back and make sure that is correct before blaming the data model.

Thanks alot for replying. I will get this someday, and hopefully write some documentation, and a helpful API on top of it all.