Jorge Godoy wrote: > "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> writes: > > > Personally, I would say this better be generalized to a user defined > > function as these authorization thing can easily get too complex. There > > you can implement using whatever thing that is appropriate(hook to > > LDAP, your own RDBMS tables etc.) > > So if the return from this function was "True" you'd be granted access, > otherwise denied access? It sounds OK to me -- for now. :-) Yup, or some access mask like Read/Write/Delete or whatever. My take is that it may be ok to generalize these very common attributes(drawing expereince from file system) but the actual matching better be delegated to the user modules.
Especially like some want groups, but how about nest groups ? How about roles ? How about default not allowed but allowed selectively ? How about default allowed but deny selectively ? We have the advantage of using a SQL(in some form) which is really good at these kind of things.
