[gollem] SQL Permissioning

Eric Rostetter eric.rostetter@physics.utexas.edu
Tue, 6 Aug 2002 22:16:42 -0500


Quoting Michael Varghese <mike.varghese@ascellatech.com>:

> I understand that I can use the
> horde.perms api to handle the permissions, but I'm confused at how I should
> implement this while maintaining compatability with the FTP and Local VFS
> drivers

I don't know about the horde perms, but what you are asking for exists in
at least some filesystems and ftp servers.  Parts may also be possible in 
some sql databases.

> Extended permissioning includes the capability to allow multiple users
> specific access to a file and also allowing multiple groups specific access
> to a file.

I don't see this as a real problem for file/ftp drivers -- it would just 
be perhaps filesystem/ftp-server dependent.

> For example, I want to be able to give user "john(owner)" read/modify/delete
> privileges, give user "rick" read/modify access and user "joe" read access.
> Then I also want to be able to give the "admin" group read/modify/delete
> while the group "users" has only read access.  Everyone else would have no
> access

You could do this with groups, but that would be a kludge.  Better would
be a combination of acl's and groups for the file/ftp backends. Not sure
about sql.

> The problem I am having is that, if I implement something like this, how
> would this be displayed correctly in gollem seeing as how the 2 other
> backends do not use the same type of permissioning?

Many file systems support acl and group access.  If they do, then their
ftp should also (but that is actually less common).  So this is doable
in file/ftp, depending on the user's implementation.

How to display them is up to you.  How to set/change them is up to the
OS/filesystem/ftp-server.

> I would have to change
> gollem in order to display these permissions correctly.  Are there any ideas
> of how to deal with this?

Use acl's + owner + group for filesystems.  Acl support only would work
where it was supported by the OS/Filesystem/server.  basically the same
for ftp.  Don't know about sql.

Now the problem is does php support acl's?  If not, you might have to code
it in exec/system/etc type calls.  If so, coding it safely could be a 
problem.
 
> -mike

Maybe the above will help.  Maybe not...

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

"TAD (Technology Attachment Disorder) is an unshakable, impractical devotion
to a brand, platform, product line, or programming language. It's relatively
harmless among the rank and file, but when management is afflicted the damage
can be measured in dollars. It's also contagious -- someone with sufficient
political clout can infect an entire organization."

--"Enterprise Strategies" columnist Tom Yager.