Forum OpenACS Development: Re: Ideas for using groups to minimize custom permission

Collapse
Posted by Tom Jackson on

Lars, Huh? You mean there isn't a handy pl procedure to do it, not that the data model doesn't support these three 'grant types', right? Writing this procedure would be just as easy or difficult with your proposed model, wouldn't it? I'm not sure what the extra columns would accomplish other than making it impossible to join (easily) against the table. I think since Don's recent reorganization of the base tables you can do a join to do bulk permission checks, although I haven't tried it myself.

Collapse
Posted by Lars Pind on
Ok, I think I complicated matters unnecessarily by mentioning the single-row optimization. Forget about that, and let's concentrate on one thing at a time.

Requirement:
------------

- I want to grant 'admin' on all news items to user x.

Dave's Design:
--------------

Create a site-wide "News" group, etc. -- see above.

My conceptual design proposal:
------------------------------

Instead of thinking of this as granting privs on *packages* think about it as granting privs on *objects*.

What you want to do is grant 'admin' on all objects of type 'news_items'.

One possible implementations:
-----------------------------

Add a column 'object_type' to the acs_permissions table, which defaults to 'acs_object', menaning this permission is granted on all object types.

Change the permissions check procs/views to also check whether the object in question is a subtype of the value of object_type column in the acs_permissions table.

... there are other possible implementations, if you agree with me on the conceptual design.

Comments?