5 Apr
2013
5 Apr
'13
8:46 p.m.
Hi devs,
While introducing the new security module, we have added a new right named
"creator", only applicable at document level, it is automatically applied
on documents for their creator. This right is not really checked for
itself, but it imply the delete right with a tie resolution policy of
allow, and a inheritance policy of not deniable. This give a document
creator the right to delete the document whatever other policies could say
about him.
Since having only delete right on a document does not seems really logical,
I am wondering if it would not be good to make the creator right also imply
the view, and the edit right. This would give to document creators
consistant minimal right on their documents, what ever the policy of the
wiki is.
WDYT ?
--
Denis Gervalle
SOFTEC sa - CEO
eGuilde sarl - CTO
5 Apr
5 Apr
9 p.m.
New subject: [xwiki-devs] Should we imply more than the delete right for document creator ?
On 04/05/2013 02:46 PM, Denis Gervalle wrote:
Hi devs,
While introducing the new security module, we have added a new right named
"creator", only applicable at document level, it is automatically applied
on documents for their creator. This right is not really checked for
itself, but it imply the delete right with a tie resolution policy of
allow, and a inheritance policy of not deniable. This give a document
creator the right to delete the document whatever other policies could say
about him.
Since having only delete right on a document does not seems really logical,
I am wondering if it would not be good to make the creator right also imply
the view, and the edit right. This would give to document creators
consistant minimal right on their documents, what ever the policy of the
wiki is.
WDYT ?
Hm, I don't really like this. "creator" doesn't sound like a right to
me. When speaking about rights in Real Words, you would say that "X has
the right to `view', `edit', and `creator' on this page". And that
doesn't sound quite English to me.
I was envisioning "creator" not as a special right, but as a special
username, like XWiki.XWikiGuest used to be.
The advantage of a "creator" pseudo role is that we can set rights at
different levels, so for example we can say that in the `XWiki' space
(or `Users' at a later time), creators should be allowed to edit and
delete their documents (which means their profiles), and this would
remove the need to always add two rights objects on their profiles.
It also allows to globally allow or disallow the delete right to
creators. Why hard-code the fact that document creators are allowed to
delete their own documents? If we want to ensure non-repudiation for
user's actions it's mandatory not to be allowed to delete documents.
The main disadvantage is that there's another special name that must be
processed securely (i.e. don't confuse creator rights with the rights
for a user named creator).
--
Sergiu Dumitriu
http://purl.org/net/sergiu
4235
days inactive
4235
days old
1 comments
2 participants
participants (2)
-
Denis Gervalle -
Sergiu Dumitriu