[dev] Re: Q regarding horde and permissions
Jan Schneider
jan at horde.org
Wed Oct 6 08:44:54 PDT 2004
Zitat von "Jason M. Felice" <jfelice at cronosys.com>:
> I'm copying the Horde dev list for their input. For the people at dev@,
> "maynard" is a product catalog we are developing for a client that we'll be
> releasing to everyone once it's done. What Alan is currently working on
> is a site search feature... a keyword-based cross-application search.
> The basics of it is that there is an indexing script which calls
> applications' APIs to get a word list and associations with objects, and
> this would populate a table, and then there will be a search page in
> horde/services which queries the table based on the Google-like search
> string and finds the objects, then applies permissions checking via an
> API to each object and filters out ones to which the current user does
> not have access, then presents the results.
>
> On Wed, Oct 06, 2004 at 10:31:53AM -0400, Alan Garrison wrote:
>> I'm probably just going to store a horde permission string for a
>> "target" when I index things as to make it easy to check for access
>> permissions. e.g.,
>> "keword" => array ("maynard:items:4", "maynard:categories:7");
This rather sounds like object IDs than permissions, and it probably is as
you describe it below?
>> Is there a "plain" way to translate a permission string to a URL, since
>> the href we would send back to the user should be something like
>> "/maynard/viewcategory.php?category_id=7" instead of
>> "/maynard/category/7"? Or is each app going to have to have an api call
>> or something that knows how to translate a perm string to a URL?
>
> Some applications might not use permissions, and some might have
> different ways of checking permissions. For example, Bob's work for
> gollem checks if the permissions entry for the object exists, and if
> not, if an entry for the parent exists, so on up the chain. Wicked only
> checks the page, and if that doesn't exist, the application (but it also
> has some funky rules based on other things). Hermes doesn't track entries
> per timeslice, but checks if the entry is submitted. If so, the person
> only has access based on the "review" permission unless they are the owner.
> Even though we decided against it, in maynard we were talking about
> permitting/preventing access based on flags such as 'imported' and
> 'domestic'.
>
> So, beware that there is no simple, predictable mapping between objects
> and permissions strings. Likely, we'll have to implement a new API
> which simply checks whether a user has permission to an object.
Exactly. Another reason is that permissions might have changed after the
last indexing.
> I know of no way to translate a permissions string into a URL, the
> closest thing is $registry->link() or $registry->linkByPackage(), but
> those take a hash of parameters to make a link, not an object string or
> perm string. I talked with Chuck, and the idea was to extend the show()
> APIs to handle the object path type string. He'll have to give you an
> idea of how he wanted to do that.
Yeah, that sounds like a good idea. Though I would create a separate API
method, say "link" or "get", as a counterpart of the browse API method. So,
we have the browse method returning all available objects and a link method
returning a link based on the IDs returned by browser. Your method that
requests the word list or an indexable full text also uses these IDs as
references.
Jan.
--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/
More information about the dev
mailing list