Page last modified 13:00, 17 Feb 2009 by MaxM
Permissioning lockout problem
Table of contents
- 1.1.1. Operations
- 1.1.2. Current Default Roles
- 1.1.3. Current Default Restrictions
- 1.1.4. Users
- 2. Proposed solutions
- 3. Use case 1: M makes P1 private with grants(N, V, C)
- 3.1.1.1. Status quo:
- 3.1.1.2. Dynamic roles:
- 3.1.1.3. Modify restrictions:
- 4. Use case 2: M makes P2 semi-public with grants(N,V,C)
- 4.1.1.1. Status quo:
- 4.1.1.2. Dynamic roles:
- 4.1.1.3. Modify restrictions:
Related Bugs:
Operations
LOGIN BROWSE READ SUBSCRIBE UPDATE CREATE DELETE CHANGEPERMISSIONS CONTROLPANEL UNSAFECONTENT ADMIN
Current Default Roles
None: LOGIN Viewer: LOGIN BROWSE READ SUBSCRIBE Contributor: LOGIN BROWSE READ SUBSCRIBE UPDATE CREATE DELETE UNSAFECONTENT Manager: LOGIN BROWSE READ SUBSCRIBE UPDATE CREATE DELETE UNSAFECONTENT CHANGEPERMISSIONS
Current Default Restrictions
public allows: LOGIN BROWSE READ SUBSCRIBE UPDATE CREATE DELETE CHANGEPERMISSIONS semi-public allows: LOGIN BROWSE READ SUBSCRIBE private allows: LOGIN
Users
- User N, N1 (None)
- User V (Viewer)
- User C, C1 (Contributor)
- User M (Manager)
Proposed solutions
Dynamic roles
All current and future grants are converted to special dynamic roles. These work by countering any restriction in place and in effect restores the base permissions of the user (user+group
Modify restrictions
Change restrictions to allow CHANGEPERMISSIONS (semi-public: 1039, private: 1025). This allows a page to have the usual operations removed such as reading and writing but allows a user with a base permission that includes CHANGEPERMISSIONS to continue to restrict and grant permissions limited by their base permissions containing other read/write related flags.
update restrictions set restriction_perm_flags = 1039 where restriction_name = 'Semi-Public'; update restrictions set restriction_perm_flags = 1025 where restriction_name = 'Private';
Use case 1: M makes P1 private with grants(N, V, C)
Status quo:
Response:
- P1 is set to private
- M, N, V, C are given Contributor grants to P1
Results:
- N: None - private + Contributor = Contributor
- V: Viewer - private + Contributor = Contributor
- C: Contributor - private + contributor = Contributor
- M: Manager - private + contributor = Contributor {LOGIN BROWSE READ SUBSCRIBE UPDATE CREATE DELETE UNSAFECONTENT} (locked out!)
- N1: None - private = {}
- C1: Contributor - private= {}
Dynamic roles:
Response:
- P1 is set to private
- M, N, V, C are given *dynamic* grants to P1
Results:
- N: None - (no restrictions subtracted due to *dynamic* grant) + *dynamic* = None
- V: Viewer - (no restrictions subtracted due to *dynamic* grant) + *dynamic* = Viewer
- C: Contributor - (no restrictions subtracted due to *dynamic* grant) + *dynamic* = Contributor
- M: Manager - (no restrictions subtracted due to *dynamic* grant) + *dynamic* = Manager
- C1: Contributor - private = {}
- N1: None - private = {}
Modify restrictions:
Response:
- P1 is set to private
- M, N, V, C are given Contributor grants to P1
Results:
- N: None - private + Contributor = Contributor
- V: Viewer - private + Contributor = Contributor
- C: Contributor - private + contributor = Contributor
- M: Manager - private + contributor = Contributor {LOGIN BROWSE READ SUBSCRIBE UPDATE CREATE DELETE UNSAFECONTENT CHANGEPERMISSIONS}
- N1: None - private = {}
- C1: Contributor - private = {}
Use case 2: M makes P2 semi-public with grants(N,V,C)
Status quo:
Response:
- P2 is set to semi-public
- M, N, V, C are given Contributor grants to P2
Results:
- N: None - semipublic + Contributor = Contributor
- V: Viewer - semipublic + Contributor = Contributor
- C: Contributor - semipublic + contributor = Contributor
- M: Manager - semipublic + contributor = LOGIN BROWSE READ SUBSCRIBE UPDATE CREATE DELETE UNSAFECONTENT (locked out!)
- N1: None - semipublic = {}
- C1: Contributor - semipublic = {LOGIN BROWSE READ SUBSCRIBE}
Dynamic roles:
Response:
- P2 is set to semi-public
- M, N, V, C are given *dynamic* grants to P2
Results:
- N: None - (no restrictions subtracted due to *dynamic* grant) + *dynamic* = None
- V: Viewer - (no restrictions subtracted due to *dynamic* grant) + *dynamic* = Viewer
- C: Contributor - (no restrictions subtracted due to *dynamic* grant) + *dynamic* = Contributor
- M: Manager - (no restrictions subtracted due to *dynamic* grant) + *dynamic* = Manager
- C1: Contributor - semipublic = {LOGIN BROWSE READ SUBSCRIBE}
- N1: None - semipublic = {}
Modify restrictions:
Response:
- P2 is set to semi-public
- M, N, V, C are given Contributor grants to P2
Results:
- N: None - semipublic + Contributor = Contributor
- V: Viewer - semipublic + Contributor = Contributor
- C: Contributor - semipublic + contributor = Contributor
- M: Manager - semipublic + contributor = LOGIN BROWSE READ SUBSCRIBE UPDATE CREATE DELETE UNSAFECONTENT CHANGEPERMISSIONS
- C1: Contributor - semipublic = {LOGIN BROWSE READ SUBSCRIBE}
- N1: None - semipublic = {}
- Tag page
- What links here
| Images 0 | ||
|---|---|---|
| No images to display in the gallery. |
You must login to post a comment.
Copyright © 2011 MindTouch, Inc. Powered by