Re: New proposals for externalizing Roller user/permissions management

Wed, 01 Aug 2007 12:13:27 -0700 

Dave,
I took a quick look through this and I think it's looking pretty good. I like the idea of using the java security stuff as the base for the permissions, that sounds very clean and extensible. 


I like how the checkPermission(perm, user) method is very generic and 
simple, that seems like a very nice design.  So to take that design one 
step further, is there any reason why we really need to separate out the 
concept of roles vs. permissions any more?  Is there any reason to keep 
those separate in the data model any more?  i.e. what if we just had ...


public void grantPermission(RollerPermission perm, User user);


which would be a logic counterpart to the checkPermission(perm, user) 
method and would probably work similar to ...


  if(perm instanceof GlobalPermission) {
    // apply the user role
  } else if(perm instanceof WeblogPermission) {
    // grant weblog permission
  } else {
    // probably bad input
  }


this would further simplify the methods you mention because we would no 
longer need any of the grant/revoke methods, and instead of having get 
methods for roles vs. permissions we would just have getPermissions() 
methods.  would that work?



i also like that you've redone the permission table, which seems to 
simplify things as well, but can we carry that on from my suggestion 
above and just store all permission data in that table, including roles 
and weblog permissions?  would that work?



this way if you add all of that up we are greatly reducing the security 
framework into these methods ...


public boolean checkPermission(RollerPermission perm, User user);
public void grantPermission(RollerPermission perm, User user);
public void revokePermission(RollerPermission perm, User user);
public List<RollerPermission> getPermissions(User user);

is that feasible?

-- Allen


Dave wrote:

I have withdrawn my two Roller 4.1 user/perms management proposals and
replaced them with one proposal that incorporates feedback from Elliot
and Allen:

" Proposal Externalize User And Permissions Management"
http://tinyurl.com/28br55

Major changes
- Removed User Repository API
- Removed User Permssions API
- Defined single consistent permssions system exposed via UserManager
- Added details on specific changes to be made to implement the system

Comments and suggestions for improvement are more than welcome.

Thanks,
- Dave























					Reply via email to