2011/11/23 Mike Müller <mike...@mysign.ch>: > I think the discussion here is missunderstood. It's neither about > to redefine existing ACLs nor about reinventing something already > existing. It's just about introducing hooks or entrypoint to let > developers define some other access controlling rules if needed. > Sling will NOT have to deal with permissions or policies, users and so > on. That's all up to the developer which want's to use the hooks. > So if you're are fine with the ACLs from JCR, you don't have to > change anything, if you are not, this would give you the chance > to solve your problem (like my example to give access to a > resource from 8.00 to 17.00). > So > It would help not only for special rules like the one above, it would > also help to handle access controlling on resources which are provided > from another resource provider than JCR, like the file system provider, > where no access controlling can be attached today.
Being picky here: We could provide access control by extending the file system provider to support it. And your example of time-restricted access could be implemented in Jackrabbit's existing AccessManager. I'm worried we're introducing a layer of resource filtering that will be hard to enforce across all scenarios, without breaking useability. I've been thinking more about the search issue. Jackrabbit's Lucene will report, say 200 results for a query. But Lucene does only know of Jackrabbit's access rules, not the Sling ones. So out of those 200 results, the user may only have access to 100 of them, or perhaps none at all. How are we going to report the number of search results to the end user, without iterating all search results while filtering them through Sling access control? The same, I guess, will affect for search features of other resource providers. OK, maybe the search result size problem is a small one, but I suspect there are other such cases (that I haven't been able to think about yet). -- Vidar S. Ramdal <vidar.ram...@webstep.no> Webstep AS - http://www.webstep.no Besøksadresse: Lilleakerveien 8, 0283 Oslo Postadresse: Postboks 272 Lilleaker, 0216 Oslo