Re: [Tsheetx-developers] security model

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#ffffff">
    Hi Dave, <br>
    <br>
    I see your point that it does add extra complexity, however it won't
    introduce extra bugs because the code<br>
    is already tried and tested.&nbsp; If you would like I am able to
    demonstrate the auth stuff on another site?<br>
    The main benefit the update will bring is scalability.<br>
    <br>
    Only one line of code is required to check for authorisation:<br>
    <br>
    if(Auth::ACCESS_GRANTED == Auth::requestAuth('monthly','view'){<br>
    &nbsp;&nbsp;&nbsp; yes<br>
    }<br>
    else{<br>
    &nbsp;no<br>
    }<br>
    <br>
    Every page in tsng already has the one line of code at the top of
    the page to check whether a given user can access a page or not.<br>
    <br>
    Regards<br>
    Mark<br>
    <pre class="moz-signature" cols="72">_____________________________________________
 
Mob:  07725 695178
Email: <a class="moz-txt-link-abbreviated" href="mailto:ma...@rw...">ma...@rw...</a></pre>
    <br>
    On 17/02/2011 11:00, David Thompson wrote:
    <blockquote cite="mid:BAY...@ph...l"
      type="cite">
      <style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
      My feedback: it looks very complicated, for something&nbsp;that at the
      moment is relatively simple.<br>
      So does it justify introducing a lot of code, and bugs, for the
      feature that it brings (finer user access control)?<br>
      &nbsp;<br>
      <hr id="stopSpelling">
      Date: Thu, 17 Feb 2011 09:32:57 +0000<br>
      From: <a class="moz-txt-link-abbreviated" href="mailto:ma...@rw...">ma...@rw...</a><br>
      To: <a class="moz-txt-link-abbreviated" href="mailto:tsh...@li...">tsh...@li...</a><br>
      Subject: Re: [Tsheetx-developers] [SPAM] Re: security model<br>
      <br>
      <meta name="Generator" content="Microsoft SafeHTML">
      Hi Peter, <br>
      <br>
      The privilege levels i.e. user, reporter, manager, administrator
      would be created as different user groups.&nbsp; A user can be a member
      of several groups.<br>
      <br>
      so<br>
      user table:<br>
      1 admin<br>
      2 joe bloggs<br>
      3. test user<br>
      <br>
      user group table:<br>
      guest<br>
      user<br>
      reporter<br>
      manager<br>
      admin<br>
      <br>
      user group assignment<br>
      admin -&gt; administrator<br>
      admin -&gt; manager<br>
      joe blogs -&gt;user<br>
      joe blogs -&gt;report<br>
      test user -&gt;user<br>
      test user -&gt;report<br>
      <br>
      privilege table:<br>
      1. monthly,view<br>
      2. stopwatch, view<br>
      3. clockings, edit<br>
      4. reports, view <br>
      <br>
      <br>
      privilege assignment:<br>
      reporter -&gt; 4 (reports,view) granted<br>
      user -&gt;1 (...) granted<br>
      user -&gt;2 granted<br>
      manager -&gt;3 granted<br>
      test user -&gt;4 denied<br>
      <br>
      <br>
      If a request to access an area that hasn't been defined in a users
      access control list then it is a denied access.<br>
      If a user is denied access at any point that is it.&nbsp; Denied.&nbsp; i.e.
      test user above is granted access to reports through the reports
      group but<br>
      is denied access on a specific user basis.&nbsp; Therefore he is denied
      access.&nbsp; A deny should always overrule an allow in my opinion.<br>
      <br>
      The (monthly, view) bit is just a way of allowing pseudo groups of
      privileges to exist so that they can be searched more easily. The
      fact that<br>
      it is two fields 'monthly', 'view' has no real effect.<br>
      <br>
      In terms of default user groups this would be configured.&nbsp; An
      unlogged in user is part of the group guest.&nbsp; A new signup is part
      of the group user.<br>
      So therefore I would add an extra group above 'tsx_users' so that
      a new signup has to request access to be able to start using the
      timesheet functions.&nbsp; Alternatively an admin could register a new
      user and give them access straight away.<br>
      <br>
      Please could I have some feedback on my proposed update?<br>
      <br>
      Regards<br>
      Mark Wrightson<br>
      <pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
<a class="moz-txt-link-freetext" href="http://p.sf.net/sfu/intel-dev2devfeb">http://p.sf.net/sfu/intel-dev2devfeb</a></pre>
      <pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Tsheetx-developers mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Tsh...@li...">Tsh...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/tsheetx-developers">https://lists.sourceforge.net/lists/listinfo/tsheetx-developers</a>
</pre>
    </blockquote>
  </body>
</html>