[dev] Object_creator Permissions

Michael Menge michael.menge at zdv.uni-tuebingen.de
Thu Jun 29 01:55:31 PDT 2006 

Quoting Jan Schneider <jan at horde.org>:

> Zitat von Michael Menge <michael.menge at zdv.uni-tuebingen.de>:
>
>> Hi,
>>
>> At the moment i have some trouble with shares, see Bug #4021 and
>> feature request #4063. I would like to help in solving this problem. Here is
>> my proposel how i think the share system should handle the object_creator.
>>
>> ---------------
>> We have the Permissions SHOW, READ, EDIT, DELETE and CREATE
>>
>> If object_creator has the SHOW permission a user should only see a share if
>> there are objects in the share he owns.
>
> No, shares don't know about their objects.
I think here lies the Problem i reported in the Bug #4021. Every user  
can see every share that has object_creator SHOW permission set.  
Seeing thounsend of shares they can't use and they should not see is  
very confusing for the users.

>
>> In this case the user should only see objects he owns.
>
> This is how it works today.
>
>> How the user could create the object is not the matter at this place
>>
>> If object_creator has the READ permission a user should only be able to READ
>> the objects he owns. Same for EDIT and DELETE
>
> Should be the case already.

Yes, some things work already in the way i would ecxpect them to work.
But at the moment it is possible for everyone to create Objects in  
shares if the EDIT permission is set for the Object creator.

But if the EDIT permission is not set for the objectreator but other  
permission (i.e. READ and DELETE) are set and the EDIT permission is  
set for the user then he can edit all but his own Objects in the share.


>
>> If object_creator has the CREATE permission and the user owns an object that
>> is a share itself the user would be able to create entries in the subshare,
>> but not to create other objects in the share itself. To create a new
>> object in a
>> share the user must have CREATE permission set for him or for a group he is
>> in.
>
> Huh? I think you confuse shares and objects here.
>

I have read that Shares can have objects that are subshares. At the  
moment i don't know a module that uses this feature.

If we have only normal objects in a share the CREATE permission for  
the objectcreator would be useless. But if subshares (objects that are  
shares themselfe) are allowd, this permission could be used to allow  
me to create new objects in that subshare.

But this could also be solved by setting the permissions for that  
subshare. So maybe we should not use the CREATE permission for object  
creator.


>> Maybe we need a way for the owner of the share to change ownership of object
>> in his share.
>
> This is already possible with event delegation in Kronolith.
>
>> At the moment it is not tested if there are objects in a share that
>> are created by the user so every user has the right to see a share and
>> to add new objects in a share if the object_creator has SHOW or EDIT
>> permission
>
> Yes, and that's how it is supposed to work. Share permissions have
> nothing to do with the objects in the share, only objects are affected
> by the share permissions.
>

I understand that objects and shares are stored in different ways and  
that only objects are affected by the share permissions, but I dont  
want that everyone can see that there is a share "blafasel" or "I hate  
my boss".

Group permissions are only evaluated for Groups I am member of (which  
is correct). Why dont we implement a funktion that shows the shares  
the user has objects in and evauate the object_creator permissions  
only for these shares.

Michael




-- 
--------------------------------------------------------------------------------
M.Menge                                 Tel.: (49) 7071/29-70316
Universitaet Tuebingen                  Fax.: (49) 7071/29-5912
Zentrum fuer Datenverarbeitung          mail: menge at zdv.uni-tuebingen.de
Waechterstrasse 76
72074 Tuebingen

More information about the dev mailing list