From: Luis H. F. <lhf...@gm...> - 2006-02-03 01:36:10
|
On 2/2/06, David R. Newman <d.r...@qu...> wrote: > Luis Henrique Fagundes wrote: > > On 2/2/06, David R. Newman <d.r...@qu...> wrote: > >> Luis Henrique Fagundes wrote: > >>> David, do you have a proposal on how permission system could be > >>> refactored to allow easy sql permission check considering group, > >>> individual and category permissions? > >> This is what I posted to this list on Dec 9 2003 - 3:36pm > >> > >>> all preferences and > >>> permissions could be looked up as rows from a table containing > >>> multiple fields, thus: > >>> > >>> Objectype: the type of object the preference or permission > >>> applies to, such as wiki, article, blog, forum, newsletter, or > >>> whatever. > > > > ok > > > >>> Action: the action permitted, such as read, edit, delete, post. > > > > ok, but here we should keep the same permissions name, like > > tiki_p_read, because we want a code refactor an not an user behaviour > > one. I do think that having tiki_p_ around for user is not good, but I > > prefer not to mix the two things. > > See below for my suggestion about a wrapper function, that converts, say > tiki_p_read, into a query where Action =3D 'read' and Objecttype =3D 'wik= i'. Why dont we just make this wraper for user interface? We already have this tiki_p everywhere and every developer is used to it, I am afraid your proposal goes toward rebuilding the perm system, while my idea is to refactor, as amette explains, just to make it possible to efficiently and cleanly check object permissions in sql. Basically, the permission works like this: 1- if object has individual permissions, use it 2- otherwhise, use general permissions, unless... 3- if object is categorized and belongs to a category user doesnt have tiki_p_view_category, deny any permission on it. I see two problems: first, there is an md5 in users_objectpermissions that makes checking in sql difficult and I see no reason for this md5. second, category permission is checked in code. If you want to have an idea on how to check permissions in sql, check code of categlib.php and lib/searchlib.php. I like sylvie's approach of a cache system that would consider every object for every group, but I would also rip that md5 (this would need php upgrade script though). now with categories, do you get a clearer idea of how your proposal could be implemented? batawata |