Forum OpenACS Development: Re: Best Practices for permissions, straw man

3: Re: Best Practices for permissions, straw man (response to 1)

Posted by Tom Jackson on 11/20/03 06:56 PM

Two points: we don't have roles in OpenACS, and privileges don't have fixed meanings.

No Roles: a role is a collection/group of rights that can be granted to a user, currently there is no way to group rights, they have to be granted one by one. Actually this is just done implicitly by each application. When I become a member of the main site, I implicitly can do a number of things. Bug tracker uses roles explicitly. I have used an owner_id in a data model to allow me to select rows. Query-Writer uses membership in a rel_segment to check if a user can assume a role (which is a list of actions on objects).

Privileges have no meaning: You can use the existance of any privilege for any purpose (as a developer).

4: Re: Best Practices for permissions, straw man (response to 3)

Posted by Tom Jackson on 11/20/03 07:04 PM

Sorry, I mentioned the bug tracker package, actually I meant the workflow package, which is used by bug tracker.

6: Re: Best Practices for permissions, straw man (response to 3)

Posted by Jeff Davis on 11/20/03 07:19 PM

Tom, grouping rights can be done by granting the permissions to a group and then adding a user to that group to grant the set of permissions (I think its equivalent to the way roles work on oracle for example). Of course as far as I am aware nothing exploints this (well dotlrn sort of does I guess).