Forum OpenACS Development: Bugs in permission checking?
Permissions are not inherited from object_id -3, the "Default Context"
Go to /permissions and grant a permission on the "Default Context" object. Now search down the page for the "Main Site" object, and note that the permissions you granted to "Default Context" don't show up under "Inherited Permissions". In Classic ACS they do. The bboard package makes use of this feature to specify defaults for the bboard-specific permissions.ad_permission_p doesn't recognize direct-granted permissions
Grant a permission to yourself on a package and then call acs_permission__permission_p to see if it returns "t". As far as I can tell it doesn't. Here's an example from psql:openacs-4=# select * from acs_permissions where object_id=2920; object_id | grantee_id | privilege -----------+------------+----------------------- 2920 | -2 | bboard_create_message 2920 | -1 | bboard_read_category 2920 | -1 | bboard_read_forum 2920 | -1 | bboard_read_message 2920 | 2082 | bboard_create_forum (5 rows) openacs-4=# select acs_permission__permission_p ('2920', '2082', 'bboard_create_forum') = 't' as permission_p; permission_p -------------- f (1 row)
In ACSclassic this was a huge piece of $%^& and I (and a co-worker) created a work around.
See the thread on ACS won't scale, and you will see.
Permissions in general, while noble in their design, are way screwed up and probably need to be re-written.
I suspect something didn't get ported to PG correctly. I just checked again and direct permissions are definitly working on Oracle/Classic.
select count(*) from acs_object_grantee_priv_map where object_id = 2920 and grantee_id = 2082 and privilege = 'bboard_create_forum';
It's possible that there is a problem with the acs_object_grantee_priv_map view.
Maybe the problem is specific to the bboard permissions data-model.
ERROR: triggered data change violation on relation "acs_privilege_hierarchy_index"). So there were no entries in acs_privilege_hierarchy for the bboard permissions.
After removing the transactional context around my calls to acs_permission__add_child, the data model was set up correctly and both the problems I mentioned above went away.