Jörn Nettingsmeier wrote:
hi everybody!
i propose to unify our authorizers (PolicyAuthorizer and
UsecaseAuthorizer) and to change the DefaultAccessController accordingly.
it turns out that the PolicyAuthorizer has a side effect that the
UsecaseAuthorizer depends on (see bug
http://issues.apache.org/bugzilla/show_bug.cgi?id=43049), so they are
not as pluggable and configurable as their many options would have us
believe.
the policy authorizer is severely broken (see
http://issues.apache.org/bugzilla/show_bug.cgi?id=42952) and blocking
our release.
fixing it in a sane way implies attaching a role to visiting pages. to
avoid hardcoding this role, it would be nice to have a similar mechanism
as for usecases, or better yet, to re-use the existing mechanism.
with a minor change to the existing usecase authorizer, the problem can
be solved. currently, the usecase authorizer will grant access by
default if no usecase is specified in the request.
this could be changed as follows:
if no usecase was specified, assume the "visit" usecase ac.visit and
check for the appropriate roles.
now we have mapped the page access decision onto a usecase access decision.
that way, the usecase authorizer can make the policy authorizer obsolete
and allows to re-use our existing infrastructure of roles, usecase
permissions and subtree policies for basic page access control.
with some more testing, this one should be fit for inclusion
http://issues.apache.org/bugzilla/show_bug.cgi?id=42952#c18
please review, so that we can talk about code freeze next.
regards,
jörn
--
Jörn Nettingsmeier
"One of my most productive days was throwing away 1000 lines of code."
- Ken Thompson.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
