On 6 Jul 2010, at 11:31, Alexander Klimetschek wrote: > On Tue, Jul 6, 2010 at 12:24, Ian Boston <[email protected]> wrote: >> >> >> >> On 6 Jul 2010, at 10:15, Alexander Klimetschek wrote: >> >>> On Tue, Jul 6, 2010 at 11:13, Alexander Klimetschek <[email protected]> >>> wrote: >>>> On Tue, Jul 6, 2010 at 10:21, Ian Boston <[email protected]> wrote: >>>>> A follow up on this, low level permissions wont work since they cant >>>>> discriminate between list children and get child. >>>> >>>> Rereading your original mail now, I note that I didn't see that you >>>> still want the sub nodes to be accessible. Then my answer is no >>>> solution, of course ;-) >>> >>> Actually principal-based access controls make my suggestion simpler to >>> setup, especially the second point: >> >> >> We still have the list all children problem here. > > No. If userX has read/write access to /_user/ieb but not to /_user/a, > /_user/b and all the other subnodes of /_user then node.getNodes() > will only return /_user/ieb.
All users have read to /_user/<userid> becuase there are public materials in /_user/<userid> No users have list on /_user because of the policy. Thats what I have to achieve. Ian > >> The data protection policy that is driving this is that, we have 50K users, >> all with user ID's we have to prevent anyone from getting a list of the user >> ID's, but still allow someone who knows the user ID to access the content. >> Its the same as the UserDir module in Apache httpd ie /~ieb > > Regards, > Alex > > -- > Alexander Klimetschek > [email protected]
