[gollem] Read-only access for backends

[Chuck Hagenbuch]

Quoting Vijay Mahrra <vijay.mahrra at es.easynet.net>:

> 1) How should Horde permissions (in theory if not implemented) affect
> Gollem?
>
> In the docs/TODO file it says:
> - Manager: permissions
> but I couldn't really find anywhere else an explanation of what that refers
> to exactly, so I'm guessing the following:

Yeah, that note basically means "implement them, somehow".

> If I set the following permissions (and the users don't have admin rights):
>
> A horde user C wants to be able to upload/edit/delete/modify files using
> Gollem to a file backend, but don't want other users of the same Horde
> installation A to have the same rights they have on that backend,
> effectively others must have only show/read/download permissions (and hide
> those related options within the interface)
>
> A - All Authenticated Users     SHOW/READ
> B - Guest Permissions     SHOW/READ
> C - Individual Users (JBLOGGS)  SHOW/READ/EDIT/DELETE

Set these permissions on what? Perms should be set per-backend, like 
Turba's source perms. Perms on Gollem itself will just affect whether 
or not someone sees/can access the app.

> i) Does this mean that A and B can both view Gollem and the backends, but A
> can also edit (but not delete) and C can do all of the above?

A and B have the same perms so there shouldn't be any difference 
between them...

> At the moment (using the CVS version) with the above permissions A still can
> create/delete files, whilst B doesn't actually work at all - the client is
> redirect to the login screen.

Well, that's because your backend requires auth too. If you want guests 
to be able to use a Gollem backend you need to configure a backend that 
either doesn't need credentials, or has all credentials provided in the 
configuration file.

> ii) If C has no perms for EDIT/DELETE is it sensible that they should not be
> able to view the upload file dialogue and the actions select-list options?

The actions list can (and does) contain non-editing actions, so it 
shouldn't be disabled globally. If C can't EDIT the current directory 
then yes, it makes no sense to show the upload file form.

> iii) If C EDIT but no DELETE they should be able to view everything except
> the DELETE option from the select list option to delete?

Or "Cut Item". But otherwise yes.

> iv) Should we be able set these permissions on a per backend basis?  Because
> at the moment such permissions would affect all backends.

Not sure why you say at the moment they would, but yes, they should be 
per-backend.

> 2) Regarding the backend-specific perms you mentioned already exist.
>
> i) The backend array value 'attributes' does have 'permission' but as far as
> i can tell this has no effect on whether or not all users can
> add/edit/delete files.

Right, that's whether or not the backend returns a unix permissions 
string as one of the potential columns.

> ii) Should there be a 'permission' setting with the values for Horde perms
> SHOW/READ/EDIT/DELETE or 'readonly' in the params array?

No, permissions should be specified in the general Horde perms UI, not 
hardcoded into a config file.

> For example if the backend is an ftp account with an ISP somewhere and you
> don't want to give users of your Horde installation permission to do
> anything other than download from the backend that uses your ftp
> credentials.

Mmm?

> I hope you can follow my points as it is rather complicated to explain.

Indeed. :)

-chuck

-- 
"But she goes not abroad in search of monsters to destroy." - John 
Quincy Adams