[Spacewalk-devel] User Access Module

Partha Aji paji at redhat.com
Fri Jul 4 13:17:00 EDT 2008


Well I see this class as doing more than mere permission checking. I 
definitely prefer the canViewChannel approach to hasRight approach, 
because sometimes we are doing more than checking on a Role to see if 
the user has the permission to deal with this...
diverging off topic a bit I'd like the methods to have names like 
assertXYZauthorized and raise permission exceptions instead of returning 
true/false. I am tired of doing

if (!this role) {
Throw exception CAN:T DO THIS!
}
I'd prefer
Authorizer.assertCanViewChannel(user);
do whatever you want with this authorization

Partha


Devan Goodwin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Thu, 03 Jul 2008 18:52:42 -0400
> Justin Sherrill <jsherril at redhat.com> wrote:
> 
>> Hi All,
>>
>> I kind of remember someone mentioning this previously, but can't 
>> remember exactly where.
>>
>> We really really need some sort of centralized authorization
>> mechanism. It maybe a too little too late, but I think now is better
>> than never. And would could easily add the checks to other pages. 
>>
>> Basically I'm just proposing a class with tons and tons of:
>>
>> UserAccessPolicy.canViewChannel(User user, Channel channel)
>> UserAccessPolicty.canModifyChannel()
>>
>>
>> If this gets implemented everywhere, we only have one place to change 
>> when we eventually do add fined grained user access control.  It
>> would be fairly easy to check which actions were using this, simply
>> by doing a grep of our Actions for UserAccessPolicy.  Lists wouldn't
>> really be able to use it for the individual items (so we may still
>> want to resort to query based restrictions there), but it would cover
>> a large portion of the app.
>>
>> We could also port our Access class to use this as well.
>>
>> -Justin
> 
> Was hoping to get something very minimal in place for this during work
> on the Support User. Initially I was thinking of something a little
> flatter and data driven like SomeClass.hasRight("create.users", arg0...)
> but that's going to come with some drawbacks. Haven't been able to
> think it all the way through yet though, and there's *a lot* to think
> about. Maybe we can get some discussion going here as to what people
> would like this to look like technically, but if not we should get
> together sometime and see what we can come up with.
> 
> Devan
> 
> - -- 
> Devan Goodwin <dgoodwin at redhat.com>
> Software Engineer      Red Hat Network
> Halifax, Canada     650.567.9039x79267
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (GNU/Linux)
> 
> iEYEARECAAYFAkhuFVYACgkQAyHWaPV9my7tMwCfeeWsNvidw50GC2Yw2+s6GOqH
> K+MAoOprPvQr7f85Awve07QhsH9VY9mY
> =rqeY
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Spacewalk-devel mailing list
> Spacewalk-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-devel
> 




More information about the Spacewalk-devel mailing list