[dev] Assigning permissions dynamically in Turba

Chuck Hagenbuch chuck at horde.org
Thu Jun 23 00:27:26 PDT 2005


Quoting Michael Rubinsky <mike at theupstairsroom.com>:

> In working on this for a bit, I basically replaced all the
> Turba::hasPermission() calls throughout Turba with a
> $object->hasPermission() or $driver->hasPermission() as appropriate.  This
> works well for most of the cases where we check permissions from within
> Turba.  However, in Turba::getAddressBooks(), $cfgSources is run through
> Turba::permissionsFilter before the results are returned....and
> Turba::permissionsFilter checks the permissions against Horde
> permissions...so, in order for this to work, Turba::permissionsFilter would
> instead have to instantiate a driver object for each source within
> $cfgSources and then call $driver->hasPermission() for that particular
> source.  I guess I'm just worried about that being too much
> overhead...thoughts?

Probably, yes, but we can cache it then.

> First of all, only Horde admins have access to the current permissions UI.
> This means that the Horde administrator would also have to have admin
> privileges on the IMSP server in order for this to fully work.
> Additionally, users would not be able to give other users rights on
> addressbooks that they own, since they don't have access to the perms UI.
>
> Second, even IMSP admins won't necessarily have permissions to all
> addressbooks on the server, so they would not be visible to them from
> within the permissions UI...they wouldn't be able to assign/revoke
> permissions on all addressbooks, and they would *never* be able to assign
> permissions to user's default addressbooks (which would only be visible
> when logged in as that user).
>
> So, I'm thinking that instead of tying the acls to Horde perms, I would
> provide a UI (in the options screen) for individual users to allow editing
> of acls for those sources that they have rights to do so.  Looking forward,
> maybe create the hooks into Horde permissions and then use those to make
> sure that any perms that might be granted via Horde perm UI 'makes sense'
> etc...

I'm not sure that it even really makes sense, given your explanations, 
to tie in Horde perms at all. But either way, yes, a seperate UI makes 
sense.

-chuck

-- 
"But she goes not abroad in search of monsters to destroy." - John 
Quincy Adams


More information about the dev mailing list