[dev] Re: Q regarding horde and permissions

[Jan Schneider]

Zitat von "Jason M. Felice" <jfelice at cronosys.com>:

> I'm copying the Horde dev list for their input.  For the people at dev@,
> "maynard" is a product catalog we are developing for a client that we'll be
> releasing to everyone once it's done.  What Alan is currently working on
> is a site search feature... a keyword-based cross-application search.
> The basics of it is that there is an indexing script which calls
> applications' APIs to get a word list and associations with objects, and
> this would populate a table, and then there will be a search page in
> horde/services which queries the table based on the Google-like search
> string and finds the objects, then applies permissions checking via an
> API to each object and filters out ones to which the current user does
> not have access, then presents the results.
>
> On Wed, Oct 06, 2004 at 10:31:53AM -0400, Alan Garrison wrote:
>> I'm probably just going to store a horde permission string for a
>> "target" when I index things as to make it easy to check for access
>> permissions.  e.g.,
>> "keword" => array ("maynard:items:4", "maynard:categories:7");

This rather sounds like object IDs than permissions, and it probably is as
you describe it below?

>> Is there a "plain" way to translate a permission string to a URL, since
>> the href we would send back to the user should be something like
>> "/maynard/viewcategory.php?category_id=7" instead of
>> "/maynard/category/7"?  Or is each app going to have to have an api call
>> or something that knows how to translate a perm string to a URL?
>
> Some applications might not use permissions, and some might have
> different ways of checking permissions.  For example, Bob's work for
> gollem checks if the permissions entry for the object exists, and if
> not, if an entry for the parent exists, so on up the chain.  Wicked only
> checks the page, and if that doesn't exist, the application (but it also
> has some funky rules based on other things).  Hermes doesn't track entries
> per timeslice, but checks if the entry is submitted.  If so, the person
> only has access based on the "review" permission unless they are the owner.
> Even though we decided against it, in maynard we were talking about
> permitting/preventing access based on flags such as 'imported' and
> 'domestic'.
>
> So, beware that there is no simple, predictable mapping between objects
> and permissions strings.  Likely, we'll have to implement a new API
> which simply checks whether a user has permission to an object.

Exactly. Another reason is that permissions might have changed after the
last indexing.

> I know of no way to translate a permissions string into a URL, the
> closest thing is $registry->link() or $registry->linkByPackage(), but
> those take a hash of parameters to make a link, not an object string or
> perm string.  I talked with Chuck, and the idea was to extend the show()
> APIs to handle the object path type string.  He'll have to give you an
> idea of how he wanted to do that.

Yeah, that sounds like a good idea. Though I would create a separate API
method, say "link" or "get", as a counterpart of the browse API method. So,
we have the browse method returning all available objects and a link method
returning a link based on the IDs returned by browser. Your method that
requests the word list or an indexable full text also uses these IDs as
references.

Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/