[dev] wicked permissions, attempt #2

Jason M. Felice jfelice at cronosys.com
Wed Dec 1 08:42:09 PST 2004 

On Sun, Nov 28, 2004 at 04:38:22PM -0600, Ben Chavet wrote:
> Ok, here's my next attempt at fixing wicked's permissions.  Jason, you 
> weren't
> kidding when you said it was more complicated than what I originally 
> submitted
> :)
> 
> I've tested this patch as thoroughly as I can possibly think of.
> Feedback/Suggestions welcome.
> 
> Here's the rundown:
> 
> lib/Page/StandardPage.php now checks if 'wicked' and 'wicked:pages' exist.  
> If
> not, they are created with reasonable defaults.
> 
> AttachedFiles, BackLinks, EditPage, LikePages, MergeOrRename all check 
> & return
> the permissions of the referring page.
> 
> I created a new permission branch, 'wicked:system', to contain AllPages,
> LeastPopular, MostPopular, PageSearch, RecentChanges, and TitleSearch.  I 
> did
> this because I didn't really feel that these belong in the 'wicked:pages'
> branch.  Granted, they are still pages, but they each serve a special 
> purpose.
> 
> lib/api.php has been updated to reflect the 'wicked:system' permission 
> branch.
> 
> I made this diff using 'cvs -q diff -u' in /wicked to cut down on number of
> attachments.  If this doesn't work, I can redo it with individual diffs.

Hi Ben-

I committed your part about the fallback to 'wicked:pages' if the
page-specific permissions doesn't exist.  I tweaked slightly so it uses
defaults instead of falling back to 'wicked' if 'wicked:pages' doesn't
exist.  I think this will prevent some user confusion.

I committed the part which creates 'wicked' and 'wicked:pages'
automatically.

I committed the parts about checking the referrer's permissions for
EditPage, AttachedFiles, and MergeOrRename.  I'm not sure about
LikePages or BackLinks.  These pages should filter the _results_ based on
whether the user has access to the pages (I'm not sure if they do right
now), but I don't know that preventing their _use_ based on the referrer
is useful.

All this stuff is great, and some of it is desparately needed, so
thanks!

So the only part I haven't committed is the 'wicked:system' and
'wicked:system:*' stuff.  I can probably be convinced otherwise, but I'd
like to keep special pages as un-special in treatment as possible.

($wicked->listPages() does need to list special pages, though, for two
reasons-- first, so permissions can be set on them and second so that
they appear to exist.  Right now, if you refer to 'AllPages' or
'BackLinks' in the text of a page, the question mark icon appears after it
as if the page doesn't exist).

-- 
 Jason M. Felice
 Cronosys, LLC <http://www.cronosys.com/>
 216.221.4600 x302

More information about the dev mailing list