[dev] Assigning permissions dynamically in Turba

[Michael Rubinsky]

I'm trying to map IMSP acls to horde permissions for IMSP addressbooks now 
that the read-only attribute is gone.  I've got the initial code worked 
out, but am having a problem determining exactly *where* to call it from.

For IMSP sources, sources.php defines the user's default addressbook then 
calls a utility function that dynamically builds $cfgSources entries for 
any other addressbooks the user has rights to on the server, and then used 
to set the read-only flag accordingly.  Now, to put it simply, I build 
horde permission entries for the sources and assign appropriate 
permissions.  I was going to perform this from sources.php but the problem 
is that sets up a loop - as sources.php is also loaded from within the 
_turba_perms() api function.  (Changing it from   'require' to 
'require_once' solves MY problem, but I imagine doing a require_once from 
within a function would cause problems once the function exits and 
$cfgSources goes out of scope).

So...I thought I would just do the perms sync stuff from within the imsp 
driver itself.  This basically works, but there are two problems I have 
with this route:

1) The permissions would only be created after the user loads an IMSP 
addressbook.  This means that the first time they log on after they have 
been given access to a new source, they won't see that source until they 
first load a different imsp source and then either log out and back in 
again, or refresh the web page.  This would only happen the first time they 
log in after they get access to a new source (and also the first time after 
this code is added) but I still think it would be a bit awkward.

2) Not a big deal, but would need to add a new global variable to hold some 
info about the IMSP sources since Turba::permissionsFilter() is called on 
$cfgSources, removing the source *before* the permissions code would be 
able to see it and add the permissions.

So now I'm thinking I should call the permission code from a hook.  That 
leads me (finally) to my real question, out of the existing hooks available 
I think it would probably go under _horde_hook_postAuthenticate...and I'd 
have to obviously load turba/config/sources.php there so I'd have the 
$cfgSources array.  Maybe a better way to go would be to implement some 
sort of _turba_hook_sourcesLoaded() or something similar at the point after 
sources.php is loaded but before Turba::permissionsFilter is called?  I 
think that might be useful to some of the other backends that could 
dynamically add sources based on the backend server's acls (kolab comes to 
mind).

In a related question, I'm having trouble figuring a way to map the 
permissions back the other way, from horde permissions to imsp acls.  Are 
there any existing permission hooks that I could tie into to determine when 
a permission has been changed from with horde..something along the lines of 
the horde shares stuff?  If not, would anyone object to adding them?

Any of this make any sense to anyone? ;)

Thanks -
Mike