[dev] Re: Q regarding horde and permissions

Jason M. Felice jfelice at cronosys.com
Wed Oct 6 08:24:32 PDT 2004


I'm copying the Horde dev list for their input.  For the people at dev@,
"maynard" is a product catalog we are developing for a client that we'll be
releasing to everyone once it's done.  What Alan is currently working on
is a site search feature... a keyword-based cross-application search.
The basics of it is that there is an indexing script which calls
applications' APIs to get a word list and associations with objects, and
this would populate a table, and then there will be a search page in
horde/services which queries the table based on the Google-like search
string and finds the objects, then applies permissions checking via an
API to each object and filters out ones to which the current user does
not have access, then presents the results.

On Wed, Oct 06, 2004 at 10:31:53AM -0400, Alan Garrison wrote:
> I'm probably just going to store a horde permission string for a 
> "target" when I index things as to make it easy to check for access 
> permissions.  e.g.,
> "keword" => array ("maynard:items:4", "maynard:categories:7");
> Is there a "plain" way to translate a permission string to a URL, since 
> the href we would send back to the user should be something like
> "/maynard/viewcategory.php?category_id=7" instead of
> "/maynard/category/7"?  Or is each app going to have to have an api call 
> or something that knows how to translate a perm string to a URL?

Some applications might not use permissions, and some might have
different ways of checking permissions.  For example, Bob's work for
gollem checks if the permissions entry for the object exists, and if
not, if an entry for the parent exists, so on up the chain.  Wicked only
checks the page, and if that doesn't exist, the application (but it also
has some funky rules based on other things).  Hermes doesn't track entries
per timeslice, but checks if the entry is submitted.  If so, the person
only has access based on the "review" permission unless they are the owner.
Even though we decided against it, in maynard we were talking about
permitting/preventing access based on flags such as 'imported' and
'domestic'.

So, beware that there is no simple, predictable mapping between objects
and permissions strings.  Likely, we'll have to implement a new API
which simply checks whether a user has permission to an object.

I know of no way to translate a permissions string into a URL, the
closest thing is $registry->link() or $registry->linkByPackage(), but
those take a hash of parameters to make a link, not an object string or
perm string.  I talked with Chuck, and the idea was to extend the show()
APIs to handle the object path type string.  He'll have to give you an
idea of how he wanted to do that.

-- 
 Jason M. Felice
 Cronosys, LLC <http://www.cronosys.com/>
 216.221.4600 x302


More information about the dev mailing list