Forum OpenACS Development: Re: Should we timout permissions cache?

Collapse
Posted by Jeff Davis on
Peter, the thing you are missing is that in a lot of cases (in fact almost every case) the permission is not granted directly, a given user has or doesn't have it by virtue of being in the right group and the object generally inherits the permission from another object.

To get it right, if you add or remove someone from a group you would have to flush all permissions for that user (strictly speaking you might be able to hold on to some but I think that would cost more than just flushing them all). If you change permission on an object you would need to flush all the ones on that object or any object that inherits permissions from that object.

As it stands, granting and revoking direct permissions via the tcl api will flush properly, and I made a couple other operations flush as well but really getting it right is quite hard.