hi everybody!
i propose to unify our authorizers (PolicyAuthorizer and
UsecaseAuthorizer) and to change the DefaultAccessController accordingly.
the policy authorizer is severely broken (see
http://issues.apache.org/bugzilla/show_bug.cgi?id=42952) and blocking
our release.
fixing it in a sane way implies attaching a role to visiting pages. to
avoid hardcoding this role, it would be nice to have a similar mechanism
as for usecases, or better yet, to re-use the existing mechanism.
with a minor change to the existing usecase authorizer, the problem can
be solved. currently, the usecase authorizer will grant access by
default if no usecase is specified in the request.
this could be changed as follows:
if no usecase was specified, assume the "visit" usecase ac.visit and
check for the appropriate roles.
now we have mapped the page access decision onto a usecase access decision.
that way, the usecase authorizer can make the policy authorizer obsolete
and allows to re-use our existing infrastructure of roles, usecase
permissions and subtree policies for basic page access control.
the only minor cosmetic issue is that we would not have an authorizer in
the ac module any more - the usecase authorizer would have to reside in
the usecase module. but i don't see a problem with that, since imho
usecases are so fundamental a concept that doing without them implies
doing without lenya...
comments eagerly awaited, me want squash evil blocker bug.
jörn
--
Jörn Nettingsmeier
"One of my most productive days was throwing away 1000 lines of code."
- Ken Thompson.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
