Re: [OpenCA-Devel] etc/rbac/cmds/*.xml

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,

[XML stuff]
> I recommend to throw away this stuff an replace it by a simpler
> solution. The commands are always loaded. So why do we do not using
> them? I have the following idea:
>
> Example: OpenCA::Server::Command::insert_csr.pm
>
> $AC::operation =3D "csr insertion";
> $AC::owner =3D "REQUEST";
>
> The operation is the same like the today's XML tag operation. Owner is =
a
> simplification with a more powerful logic. If the value is an OBJECT
> CLASS (like REQUEST) then we use the parameter KEY to load the object
> from the database and take the role from the loaded object (e.g.
> approve_csr). If the value is ROLE then we use the parameter role to
> read the role from it (e.g. insert_csr). If the value is empty then
> there is no role.

sounds good. So later on there would be a simple check

$AC::check_authorization() || return undef;

or similar, right?

Martin

Re: [OpenCA-Devel] etc/rbac/cmds/*.xml

Open Source PKI solutions

Re: [OpenCA-Devel] etc/rbac/cmds/*.xml