Re: [Openinteract-dev] Object security inheritance

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Andrew Hurst wrote:
> ...
>   The question I had is regarding security.  How can I make them inherit 
> security as well?  I've seen the object security page, and how you can 
> edit it for one document, but when I change it for the main Document, I 
> want it to change for all of the DocumentPages as well.  The one way 
> I've thought about doing this so far is to have each DocumentPage check 
> the security status of its parent, and only show if the person has 
> security for the parent.  What would be really cool would be the ability 
> to override it per-page as well ( i.e. the whole document can be seen by 
> everyone, but the middle 26 pages can only be seen by those in the 
> 'president' group ;) (yes this was a bad joke, and no I have no relation 
> to any of that, nor does this code)

There's a custom security implementation that allows you to set and 
find security based on an inherited hierarchy 
(SPOPS::Secure::Hierarchy). You might be able to work with it or use 
it to spawn your own. As is it's built primarily for security a 
document tree like:

  /reports/executive/july-03.html  - inherited from
                                     '/reports/executive'
  /reports/executive               - security set so that only
                                     'executive' group can read,
                                     overrides '/reports' setting
  /reports                         - security set so that all
                                     employees can read, overrides
                                     '/' setting
  /                                - security set so that any valid 

                                     user can read

So you might be able to create a field in each DocumentPage object 
with something like:

  location => /mydocument/page1

And then have a custom page/handler to set the security for the main 
Document which ALSO sets the security for the DocumentPage object of 
that location. So a Document with a location of:

  /mydocument

Would set security (assuming group, ID 3, level WRITE) for both:

  class            id            scope  scope_id  level
  OI::Document     /mydocument   g      3         8
  OI::DocumentPage /mydocument   g      3         8

(Or you could only set the DocumentPage entry, that's up to you). 
All DocumentPage objects  with a location '/mydocument' would 
inherit that setting, and you'd have the option of overriding the 
setting on an object-by-object (or other scheme) basis.

See the conf/spops.perl file in pkg/base_page/conf for how it sets 
up hierarchical security. The front-end for editing it is in the 
'Security' admin tools -- if you choose to edit security for an 
object that's hierarchically protected then you get a different 
initial form than if it's not.

Hope this makes sense,

Chris

-- 
Chris Winters (ch...@cw...)
Building enterprise-capable snack solutions since 1988.