[turba] read-only ldap sources

[Chuck Hagenbuch]

Quoting liamr at umich.edu:

>> I'm not entirely sure what you're asking, but if you add
>> sub-permissions to an application, then you must set permissions for
>> that application. If there are no permissions, we assume authenticated
>> users can access the app, guests can't. If any permissions exist (and
>> creating children forces the creation of the parent, so it exists),
>> then they are honored explicitly.
>
> If I follow this process..
>
>    From within the permissions screen in the admin section...
>    - Add a child permission to "All Permissions" for "Address Book (turba)
>    - Add a child permission to "Address Book (turba)"  for "Sources"
>    - Add a child permission to "Sources" for the name of the RO LDAP resource
>    - Change the permssions on the RO LDAP resource to "Show / Read"
> for "All Authenticated Users"
>
> .. then the only people who have access to Turba are the ones listed
> in $conf['auth']['admins'].  To allow the rest of my authenticated
> users access, I need add "Show / Read" access to "Address Book" for
> "All Authenticated Users".

Yes, that's what I was trying to say above.

> Which makes me wonder..
> - what would Edit or Delete at that permission level allow people do
> to / restrict people fro doing?

Nothing. The only permissions relevant to applications are SHOW (does  
the app show up in the sidebar) and READ (can they use it).

> - do I need to need to assign explicit permissions at the "Sources" level?

No.

> - do I need to assign permissions for the other sources ("My Address
> Book" or "Favorite Recipients")?

If permissions do not exist for a source the default logic will be  
used, so no.

-chuck