You are viewing a plain text version of this content. The canonical link for it is here.
Posted to slide-dev@jakarta.apache.org by "McDonnell, David" <Da...@csu.edu.au> on 2001/02/26 22:26:10 UTC
Group patch for slide
Hi all,
I've coded group support into slide, and I'm posting it here so that it can
be committed to the project.
Here is an example of its use in Domain.xml. Usually you would just add
LinkNodes pointing to the actual user under the GroupNode.
<objectnode classname="org.apache.slide.structure.GroupNode"
uri="/users/groupA">
<objectnode classname="org.apache.slide.structure.LinkNode"
uri="/users/groupA/john" linkedUri="/users/john" />
<objectnode classname="org.apache.slide.structure.LinkNode"
uri="/users/groupA/dave" linkedUri="/users/dave" />
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/users/groupA/singleGroupMember" />
</objectnode>
Attached is the source file for GroupNode. It needs to go into the
share/org/slide/structure directory.
This block of code needs to be added to SecurityImpl after the line " if
(permissionSubject.startsWith("/")) { " , its purpose is to expand the
children of a GroupNode out into actual permissions. It currently only
handles one level deep of grouping (I believe this is the way it should
work, but if someone has a good reason, it could support nested grouping).
Uri permissionSubjectUri =
namespace.getUri(permission.getSubjectUri());
ObjectNode group =
permissionSubjectUri.getStore().retrieveObject(permissionSubjectUri);
// if the node is a GroupNode, expand it out to
normal permissions
if (group instanceof
org.apache.slide.structure.GroupNode ) {
if (group.hasChildren()) {
Enumeration groupMembers =
group.enumerateChildren();
// parse thru the children of the group and
check permissions on each
while (groupMembers.hasMoreElements()) {
oldGranted = granted;
oldDenied = denied;
Uri childUri = namespace.getUri((String)
groupMembers.nextElement());
ObjectNode childNode =
childUri.getStore().retrieveObject(childUri);
String childSubjectUri = childNode
instanceof LinkNode ? ((LinkNode) childNode).getLinkedUri() :
childNode.getUri() ;
granted = (!permission.isNegative())
&& (subjectUri.toString()
.startsWith(childSubjectUri))
&& (actionUri.toString()
.startsWith(permission.getActionUri()));
denied = (permission.isNegative())
&& (subjectUri.toString()
.startsWith(childSubjectUri))
&& (actionUri.toString()
.startsWith(permission.getActionUri()));
granted = granted | oldGranted;
denied = denied | oldDenied;
}
continue;
}
}
Comments welcome, sorry for the long post...
Cheers,
Dave
=================================================================
- Dave McDonnell - CSU Online -
- Web Programmer - Charles Sturt University -
- - -
- david.mcdonnell@csu.edu.au - +61 2 6933 4217 -
=================================================================
Re: Group patch for slide
Posted by Remy Maucherat <re...@apache.org>.
> Hi all,
>
> I've coded group support into slide, and I'm posting it here so that it
can
> be committed to the project.
I just reviewed the patch, and I'm really concerned about the performance
impact. The ACL check algorithm is called all the time, before any action is
attempted, so it's important it's as fast as possible. Here, we're adding
way too much overhead IMO.
To avoid this, I suggest adding yet another character prefix for the subjct
uri in the permission (which will also come handy when building UIs; the UI
will know when expanding can / should take place and display accurate
information). I suggest using '+' (which is usually associated with the
expand action, so it's quite consistent).
Remy