I'm wondering if we really need to define scopes into the auth module so
first of all we should define what we intend for scopes...
In my idea scopes are the resources over which a certain permission is
given. Say the user foo is binded to the docmanager role which grants the
permission to access the deleteDocument() method. Imagine each document is
contained into a folder, so each document has an association (1..*) to a
folder... As a sys admin I wish to say the user foo can be a docmanager only
on docs contained into a specific folder set (folders A, B and C for
example) excluding that privilege for any folder not listed.
Actually, to provide such fine grained control on a privilege, we have to
write a custom AuthorizationHandler (say DocumentFolderHandler) binded to
the privilege then, using informations binded to the user's properties (or
the group ones) we should check if the informations match during the
authorization phase.
A less programmatic approach, like something based on a configuration
script, could be a better solution?
Let's start discussion and listen your suggestions...
--
View this message in context: http://www.nabble.com/Scoped-authorizations-are-really-needed--tf4529064s17546.html#a12923516
Sent from the SmartWeb Developers mailing list archive at Nabble.com.
|
