Permissions explored, a practical way exists
This is from a discussion about permissions on OpenACS' irc (names changed) that took place sometime circa 2005.
ryan: How do I create a group containing other groups? dave: composition_rel ryan: For instance, I have 30 admin groups, and instead of adding user A to each one manually, I want to add her to one group, and thus all 30. dave: what are you trying to accomplish? dave: you can't do that ryan: crap. dave: it it totally non-intuitive dave: here is why :) dave: we have the Super Admin group dave: wait. dave: no it doesn't work ryan: So what is a composition_rel? I thought parties were supposed to be a super-set of groups. dave: let me explain :) dave: no ryan: ok, thanks :) dave: here is how it works. dave: Super Admin dave: then we have admins_a which is a component of super admins dave: maybe it can work. dave: question is dave: can a group dave: have a composition_rel to more than one other group ryan: So what is the definition of a component? dave: lets find out. dave: a component dave: so if Admin A is a component of Super Admin dave: then every member of A is a member of Super dave: which is NOT what you want. dave: you want ever member of super to have permission over all the groups "inside" it right? dave: but in this case every member of A would have permission over all the other components etc. dave: group are NOT for permissions. dave: that is the design weirdness ryan: huh? ryan: Now I am completely confused. dave: you can't use groups the way you want ryan: isn't the whole point of groups to avoid permissioning on individual users? jim: but you should be able to build a page that asks for a user and puts the user into the 30 groups dave: ryan, yes. dave: you they don't inherit the way you think ryan: so you set permissions on a group with a set of objects, then just add/remove users from the group, right? dave: its backwards to what you are thinking. dave: yes dave: that works dave: perfectly jim: so you can get what you want (convenience, non-tedium) but have to do it another way dave: but composition_rels dave: behave backwards dave: they are not useful for org chart models ryan: ah ok. dave: but I think it can work ryan: What is an application of composition_rels? dave: here is what you would do dave: if it works dave: create all your groups dave: Admin A, Admin B etc ryan: done. dave: then make one group dave: and give it a composition rel to all of those groups. dave: its upside down. dave: then if I am in the one group, i am in all of those other groups jim: so you're putting the one group into all the groups jim: that should work :) dave: yes d ave: b/c its not _in_ dave: its a component. d ave: i think that will trigger the correct permissions. ryan: how do components work in the data model - I want to understand this better. dave: well jim: it' dave: then I recommend you 1) read the acs-kenrel sql files jim: s a special kind of acs_rel dave: 2) run alot fo experiments in psql dave: 3) find a bug in the triggers dave: :) dave: that is how I figured it out. dave: sucks huh. dave: seriously the comments in the SQL files in acs-kernel are very illuminating. dave: also have you read permissions tediously explained? ryan: but you're it'll work? ryan: Yes. d ave: i am not sure it'll work dave: but jim: we think it will work r yan: but I could re-read it a fourth time dave: i don't see any rule dave: that disallows a group being a component of more than one group dave: if there is such a rule, it won't work. ryan: but compositions typically extend 'up' the chain of groups? dave: yes dave: that is what its for dave: so for example ryan: what is a practical example? dave: I have Main Subsite dave: and several other subsites dave: wait dave: actually this is an example of why it doesn't work :) dave: hmmm actually I have to check dave: not sure if susbsite groups are components of main subsite or not. dave: .... ryan: You see, I want to create this super group and then let the client admin the members... dave: ok there are no rel_constraints on a default install. so that should be safe. dave: yes d ave: but its really a sub-group jim: try it with two groups and another group be a component of both groups... give each of the first two groups two different permissions... put a user into the component group... dave: a super group would not work the way you want. dave: here i what you do jim: see if the user has both perms dave: 1) create two groups dave: 2) create another group dave: 3) make the third group a component of the first two dave: 4) add someone to the third group dave: 5) check if they are a member of 1 and 2 dave: for extra credit dave: apply a permission to 1 and 2 dave: check if the members of 3 have permission on those things dave: if this works jim: 1-4 and the extra credit are what I just sed :) dave: i just solved the oldest OpenACS 4 riddle joe: As a topical aside, we changed the way we use groups in our subsites for dotcommunity. One for admins and one for members (so we don't use admin_rels). Then we use a composition rel to make admins of top level sites also admins of lower level sites, and to compositions in the opposite direction to make members of lower level sites members of the higher level ones too. dave: jim, yes :) jim: 5 is a good idea too ryan: ok, sounds good. Will test and get back to you. That would be very cool if it could work both ways. Obviously it is important to be able to have groups of groups... dave: joie: you could still use admin_rels to do that dave: it would work the same way. dave: ryan, yes if that works the way I expect it would be cool. dave: joie, so is the lower level admin group a component of the higher level admin group? joe: The problem with admin rels was that an admin of a subsite became an admin of the supersite, which isnt what we wanted. dave: or the other way around? dave: joie: yes dave: that is what I just said dave: the component rels go the wrong way dave: than what you would think intuitively dave: although mathematically they work correctly as specified. dave: damn PhDs dave: basically we need to write high-level functional wrappers over all this crap joe: So we have a composition rel going "down" for admins, and "up" for members. So the supersite admin group is a component of the subsite's admin group, and the subsite's members group is a component of the supersites members group. dave: so you can just call a tcl proc that tells you what happens (instead of what is does in the database) dave: joie: ah so it _does_ work. that is just what I told ryan-g to do dave: we need to write a tcl api to do that that is clear what is happening. jim: so members of the subsite become also members of the supersite dave: yes dave: which makes sense joe: Indeed. Then we frigged the acs-subsite members pages to do the "right thing". dave: but then admins of the subsite become admins of the supersite (if you use admin_rels) dave: which is why you don't want to do that. dave: joie: but you are right dave: and openacs is wrong dave: except I doubt there is an upgrade script that would work dave: damn PhDs dave: joie: why the hell didn't you tell us this before? :) dave: i have been trying to figure that out for 4 years joe: We have an upgrade script that does it somewhere. Rob wrote it. dave: you rock. joe: We weren't sure the new way was "right". dave: yeah dave: it is dave: b/c it makes sense dave: well dave: except dave: no its right. joe: We then got rid of admin_rels completely. joe: and only use membership_rels dave: b/c everyone expects it to work that way dave: yeah see dave: the problems is dave: all this stuff was experimental dave: and no one every finished it jim: you would need to be careful when deleting certain objects dave: except you did. dave: so now we can say "this is the way its supposed to work' We can say that because that is the way every one has expected it to work, but it never did dave: wow jim: make sure to remove all rels first then delete dave: i am so surprised. joe: The code is in the dotCommiunity download on www.dotcommunity.org. The upgrade scripts aren't there though. dave: this is so cool. dave: get them! dave: :) joe: Heh. I'll talk to Rob about it tomorrow, as not sure what he implemented.