Forum OpenACS Development: Re: Ideas for using groups to minimize custom permission

Collapse
Posted by Don Baccus on
The single-row optimization is orthogonal to what you're talking about.  I've thought in terms of representing permissions as a bit-mask once we collapse custom permissions mostly out of existence myself, so I'm not necessarily opposed to experimenting with Branimir's idea (they're essentially equivalent).

This would be a fairly major change for client code that queries against the standard permission views, though, as is recommended for best performance.

The "admin all news_items" problem is most easily solved by ignoring supposed weaknesses in the permissions system design entirely (not to mention supposed optimizations of the implementation of that design).  The weakness in this case lies in the object model design, as has been discussed several times over the past couple of years:

Object types should be OBJECTS.  Then you just grant someone "admin" on the "news_item" object and presto, everything works.

Awhile back someone was working on "object proxies" for objects, i.e. just binding an object to each object_type in the system (of type "object_type_proxy" I imagine).  This would be a lot easier than redesigning the object model, at least from the upgrade script P.O.V.