On Thu, Nov 11, 2010 at 8:31 PM, Les Hazlewood <[email protected]>wrote:
> I'll give an example of why the existing behavior makes sense to me: > > user:read:jsmith:username > > Just because I can read (view) the jsmith user's username does _not_ imply > that I should be able to see all of jsmith's user data. Perhaps I shouldn't > be able to see the user record's password field for example. > I think that would be "horizontal" way (assuming username and password are on same "level" of some logical hierarchy. What Philippe says, is that he needs "vertical" way, from child to parent (up to root) to have permissions implied... And that makes sense: you need to access parents of a tree to get to the child you have access granted. WildcardPermission surely does not apply any "hierarchy" assumptions. But it is interesting idea: let consider a basic tree structure, and what actually Philippe want, is to grant access/permissions on single node, and have the "path" opened from root to that node. Converting things like UI, menus, wizards etc is very easy to represent as trees, so this would be interesting feature. In that way, the permissions may be considered as some hierarchical URI or maybe "path", and the path elements would correspond to some domains of your app, like in his example: app:taksLists/cstamas/T01:read where "taskLists" in my application may apply to something like "may open the Task Lists Panel", "cstamas" corresponds to taskList with ID "cstamas" and "T01" denotes the ID of the task in question. Naturally, in my fictive app, granting this single permission to user "philippe", I would be able to allow him all the neede UI "route" to get to the information he needs. But i think this is not really in the scope of Shiro. Also, this would be an interesting exercise to implement one ;) If you stick to trees, you could have different strategies: "propagateUp" (applies to node and a single path from the node to the root), "propagateDown" (applies to given node and all children below), etc... a nice game, with powerful possibilities :D Thanks, ~t~
