Re: [WWdevel] Config module questions

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Sep 29, 2005, at 22:32, John Jones wrote:

> Sam Hathaway wrote:
>
>> On Sep 29, 2005, at 20:42, John Jones wrote:
>>
>>> One problem with permissions is that the value of things like  
>>> "ta"  is configurable in global.conf, but the value is not  
>>> visible from  the outside.  One change I was going to make in  
>>> global.conf.dist  was to add to the permissions structure:
>>>
>>> %permissionLevels = (
>>>        login                          => $guest,
>>>        report_bugs                    => $student,
>>> ...
>>>        guest     => $guest,
>>>        student   => $student,
>>>        proctor   => $proctor,
>>>        ta        => $ta,
>>>        professor => $professor,
>>> );
>>
>> I'd caution against adding these values as "permissions". They're   
>> not, and they would invite abuse whereby code would check   
>> hasPermissions($userID, "ta") instead of creating a logical  
>> capability.
>>
>> Instead, why not add a %userRoles hash, like this:
>>
>> %userRoles = (
>>        guest     => -5,
>>        student   => 0,
>>        proctor   => 2,
>>        ta        => 5,
>>        professor => 10,
>> );
>>
>> and then redefine %permissionLevels like so:
>>
>>
>> %permissionLevels = (
>>        login                          => $userRoles{guest},
>>        report_bugs                    => $userRoles{student},
>>
>
> I was thinking of this, but thought someone would object since $ta,  
> $student, etc were specifically kept out of the course  
> environment.  But, I think this would definitely be better.  It  
> would mean a site could add a permission level by adding it in one  
> place in global.conf.

My long term plan is to replace the permission_level field in the  
permission table with a role field, and then also have  
include_permissions and omit_permissions to include additional or  
omit omissions from the role.

>> or even, with a slight change to Authz.pm:
>>
>> %permissionLevels = (
>>        login                          => "guest",
>>        report_bugs                    => "student",
>>
>> Come to think of it, once we have this, we can go wild. It would  
>> be  nice to break out of the this-permission-value-or-higher trap,  
>> for  example:
>>
>> %permissionLevels = (
>>        login                          => qw/guest student proctor  
>> ta  professor/,
>>        report_bugs                    => qw/student proctor ta   
>> professor/,
>
> Have people run into cases where there was a problem with  
> permission types being linearly ordered?

Not in particular, although it's caused us to have to have weirdly  
formulated permissions like avoid_recording_answers and  
dont_log_past_answers.

Allowing for this would bring the permission system closer to being a  
generalized  role-based authentication system.
-sam