On Mon, Mar 21, 2011 at 3:56 PM, Henry Story <[email protected]>wrote:
> I the WebIdGraphsService a permission on a graph in set by calling > > > tcManager.getTcAccessController.setRequiredReadPermissionStrings(localGraphUri, > List(new TcPermission(Constants.CONTENT_GRAPH_URI_STRING, > TcPermission.READ).toString)) > > I don't understand what > Constants.CONTENT_GRAPH_URI_STRING > > has to do in there. I am not sure how to read the > setRequiredReadPermissionStrings method. > This methos sets a permission required to read from a specified graph. By default to read from a graph named <http://foo/> one needs the permission (org.apache.clerezza.rdf.core.access.security.TcPermission "http://foo/"; "read") By calling setRequiredReadPermissionString one can set an arbitary list of permissions the user requires to read from a TripleCollection .If the method has been called the set permissions are required instead of the default permssion to read from a Graph. For example calling tcManager.getTcAccessController.setRequiredReadPermissionStrings(recipiesGraphUri, List("(org.example.CookingPermission \"\" \"\"")) would cause the recipiesGraph to be readable by anyone who has CookingPermission. The effect of the example you quote is that anyone who has readpermission on the content graph is allowed to read from the graph denoted by localGraphUri. > > > Also is it called setRequiredReadPermissionStrings when you can set read or > write permissions? > With setRequiredReadPermissionStrings you can set arbitrary permissions that are the all required to read a specified triple collection, it doesn't matter how the permissions are called. > Why not just setPermissions? > Because it shall be possible (and we generally want) to set different sets of permission required for reading and for writing. > > I would like to have a graph for each user with an account, to which every > agent on the web - even anonymous users - can write, but where the deleting > is going to be very restricted. There is no distinction between writing and deleting, one is either alloed to modify an MGraph or isn't. If an application wants to allow users adding information to a graph but not removing information the it should do the graph access as priviledged after possibly checking that the user has the right the permssion required by the application (no ckeck required in your case). > I also want to filter that graph so that each agent can only see what he > wrote to the graph. > In this case you should create a distinct graph for every user, the user will write and read to this graph, while others might access the union of all these graphs. > The point of this graph is for people using other CMSes to be able to send > pings to a Clerezza user in order to notify him for example that she was > added to someone's foaf profile for example. > I'm wondering if it is a required features that users can see what the wrote to this graph. Also I'm wondering what the advantages of such an inbox-graph is, would the owner of the mailbox frequently want to see the merge from all the added graphs? > > I am not quite sure what permissions I should set on that graph... If there > was to be a permission restriction, it might be for certain code to be able > to write to that graph - the ping code for example. > To me its still hard to see what exactly you're envisaging, spontaneously I think only the owner of the mailbox should have permissions on the graph and have code which adds triples on behalf of other users which do not themself have write-right to the graph. Cheers, Reto
