You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@clerezza.apache.org by florent andré <fl...@4sengines.com> on 2014/02/13 16:21:23 UTC

Manage graph access right

Hi there !

I get an app where user can sign-in and login to ldap via specific 
authenticationChecker (over complicated now, need to be simplified...).

And a user can create graph throw a specific endpoint (that do some 
graph initialization stuff).

Now I you like to implement this kind of rules :
* by default a user can only list his graph
* a user can only read and modify his graph
* a user can share readability of theses graphs
* a user can allow some user to modify some of his graph.

How I can manage that via clerezza code ?
I search a bit throw the code but don't see anything obvious...

Thanks !
Take care,
++

Re: Manage graph access right

Posted by Reto Gmür <re...@wymiwyg.com>.

Hi Florent

Sorry for the late reply.

In clerezza by default a graph <foo> one requires the Permission
(org.apache.clerezza.rdf.core.access.security.TcPermission "<foo>" "read")
to access it. By default a user has
(org.apache.clerezza.rdf.core.access.security.TcPermission
"urn:x-localinstance:/content.graph" "read") granting them read right to
the content graph.

Members of the CommunityUser group have the permission:
(org.apache.clerezza.rdf.core.access.security.TcPermission
"urn:x-localinstance:/user/{username}/*" "readwrite") allowing them to
create their own graphs.

If you want to set other permission requirement on a graph you can set them
using the TcAccessController service (
http://clerezza.apache.org/apidocs/org/apache/clerezza/rdf/core/access/security/TcAccessController.html).
For example you might want to make <foo> equally accesible as the content
graph by using

tca.setRequiredReadPermissions(<foo>, Collections.singleton((Permission)new
TcPermission("urn:x-localinstance:/content.graph", "read")));

With this call readingg foo will no longer require
(org.apache.clerezza.rdf.core.access.security.TcPermission "<foo>" "read")
but (org.apache.clerezza.rdf.core.access.security.TcPermission
"urn:x-localinstance:/content.graph" "read").

Cheers,
Reto

On Thu, Feb 13, 2014 at 4:21 PM, florent andré <
florent.andre-dev@4sengines.com> wrote:

> Hi there !
>
> I get an app where user can sign-in and login to ldap via specific
> authenticationChecker (over complicated now, need to be simplified...).
>
> And a user can create graph throw a specific endpoint (that do some graph
> initialization stuff).
>
> Now I you like to implement this kind of rules :
> * by default a user can only list his graph
> * a user can only read and modify his graph
> * a user can share readability of theses graphs
> * a user can allow some user to modify some of his graph.
>
> How I can manage that via clerezza code ?
> I search a bit throw the code but don't see anything obvious...
>
> Thanks !
> Take care,
> ++
>