Return-Path: 
 <bloodhound-dev-return-1641-apmail-incubator-bloodhound-dev-archive=incubator.apache.org@incubator.apache.org>
X-Original-To: apmail-incubator-bloodhound-dev-archive@minotaur.apache.org
Delivered-To: apmail-incubator-bloodhound-dev-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 16104E89F
	for <apmail-incubator-bloodhound-dev-archive@minotaur.apache.org>;
 Tue, 22 Jan 2013 14:57:53 +0000 (UTC)
Received: (qmail 79208 invoked by uid 500); 22 Jan 2013 14:57:52 -0000
Delivered-To: apmail-incubator-bloodhound-dev-archive@incubator.apache.org
Received: (qmail 79130 invoked by uid 500); 22 Jan 2013 14:57:51 -0000
Mailing-List: contact bloodhound-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:bloodhound-dev-help@incubator.apache.org>
List-Unsubscribe: <mailto:bloodhound-dev-unsubscribe@incubator.apache.org>
List-Post: <mailto:bloodhound-dev@incubator.apache.org>
List-Id: <bloodhound-dev.incubator.apache.org>
Reply-To: bloodhound-dev@incubator.apache.org
Delivered-To: mailing list bloodhound-dev@incubator.apache.org
Received: (qmail 79108 invoked by uid 99); 22 Jan 2013 14:57:51 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 Jan 2013 14:57:51 +0000
X-ASF-Spam-Status: No, hits=2.2 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (nike.apache.org: local policy)
Received: from [209.85.219.51] (HELO mail-oa0-f51.google.com) (209.85.219.51)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 Jan 2013 14:57:45 +0000
Received: by mail-oa0-f51.google.com with SMTP id n12so7341091oag.10
        for <bloodhound-dev@incubator.apache.org>;
 Tue, 22 Jan 2013 06:57:24 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:x-received:in-reply-to:references:date:message-id
         :subject:from:to:content-type:x-gm-message-state;
        bh=IQ2ZzhAW1Tp8rY63BXkwOB5kNGHS+goE7vRw5O/kid4=;
        b=miN478A9gdWkp16LBFlQsKICzVeMHzQuY17SWHnVTkk6AnrEupGwe+sDJCABKuJ14o
         Y3aOrLtFUu6M1qTGk++1yWJGdxjJthNeQniVeSrV+x9VotmXUH5SjY7qafjCc/AVBV7E
         9RWkrqdsLOsOdYr5w6+J361PeGsWwPCBAcSj5CFNQ7DqYaO3lsaG16J10N2Qcihxy23d
         RTtkpkfp8wnzho/bNJOes67g6ydzJeUwVDdAWc4Qww7JsmVHEGfpg3wVtYM526J13bSO
         SCChPRz4wf0EkiHcqP3ZJ3P47kgdmfUl4mAVNlg0bSxRkiOWvIzJjqLuXH1isqyHJlIR
         9V3w==
MIME-Version: 1.0
X-Received: by 10.182.117.5 with SMTP id ka5mr6130052obb.49.1358866643839;
 Tue, 22 Jan 2013 06:57:23 -0800 (PST)
Received: by 10.76.96.76 with HTTP; Tue, 22 Jan 2013 06:57:23 -0800 (PST)
In-Reply-To: 
 <CAKoya90kZMSkPQJ+zH3TV92UV=cntsX=mXyeJ3uYO8fVmKHQyA@mail.gmail.com>
References: 
 <CAGMZAuPPhjfGx4QgKz_-5udbGncr4PSp-n=xXYO7N0cMkko4jw@mail.gmail.com>
	<CAHM0gngAMBS8DGYfTc4q5R3rv6A8x6GS1mHLHNEoU3KVQ2davA@mail.gmail.com>
	<CAKoya90kZMSkPQJ+zH3TV92UV=cntsX=mXyeJ3uYO8fVmKHQyA@mail.gmail.com>
Date: Tue, 22 Jan 2013 15:57:23 +0100
Message-ID: 
 <CAJSKAsiUYgpL=EaQuuLnZ5k+EkX-QWv85uc163FGmnzZmpVFcg@mail.gmail.com>
Subject: Re: [BEP-0003] [RFC] Permissions in product scope
From: =?UTF-8?Q?Peter_Ko=C5=BEelj?= <peter@digiverse.si>
To: bloodhound-dev@incubator.apache.org
Content-Type: multipart/alternative; boundary=f46d044630069a6c7d04d3e1cb08
X-Gm-Message-State: 
 ALoCoQmtrl0q4OxpDcHYVuv4QtUeO5njFeTeJ2a0TIYn5OgUWU7Vg5Asmq9TsXO/Na+p1v7RKHhu
X-Virus-Checked: Checked by ClamAV on apache.org

--f46d044630069a6c7d04d3e1cb08
Content-Type: text/plain; charset=ISO-8859-1

I agree with Joe here but we still need to find a technical solution to
make it all work here.
I must say I do not completely understand the diference between what Andrej
and Olemis are suggesting in one key point:

We do need to say that every product administrators also has a role of
TRAC_ADMIN in his product scope (to make the admin page and plugins
working). So Andrej suggest that we do that unconditionally and Olemis
suggest that we do that conditionally.

Question for Andrej: How do we prevent product administrators from changing
system level settings?
Question for Olemis: How do we do that conditional TRAC_ADMIN role thingy
to prevent changing product administrators from changing system level
settings?

I imagine that the hard part is the same in both proposals and that the
differences are only a small implementation detail.

The real question for me is: while all this seems useful, is it important
enough to complicate things at this point in time?
Do not get me wrong, I do think it should be solved sooner than later, but
it should not block us form rolling out a multiproducts without it.

Peter


On 22 January 2013 14:43, Joachim Dreimann <joachim.dreimann@wandisco.com>wrote:

> I'm a bit concerned about the complexity of some of those suggestions. I
> think they should be:
>
> 1. Product owner(s) === PRODUCT_ADMIN;
> 2. Administration area is the same for all admin levels, just filtered by
> permissions.
> 3. Product owners have control over the product, not the environment (as
> Olemis suggested).
>
> I believe it should be our goal to take more of the functionality of the
> 'admin' screens (especially the Ticket System section) and display them in
> the regular UI itself.
>
> That sums it up for me.
>
> - Joe
>
>
> On 22 January 2013 13:15, Andrej Golcov <andrej@digiverse.si> wrote:
>
> > > 7. At present components check for TRAC_ADMIN permission explicitly .
> > > Some checks might be true for product admins but others do not.
> > How does Trac should know when it is the case? That can be quite
> > complex and and potentially brings inconsistent behavior.
> >
> > I have in mind a little different solution that also has some
> > drawbacks but provides consistent behavior:
> >  - Site Admin has TRAC_ADMIN permission for parent environment.
> >  - Product Admin has  TRAC_ADMIN permission for specific product
> > environment.
> >  - Check TRAC_ADMIN permission in product environment should return
> > True for Site Admin. IOW, Site admin is also admin for all products.
> >  - Site Admin UI has it's own url and is executed in parent
> > environment e.g. http://bla/main/admin - The functionality of the UI
> > can be quite different from Product Admin UI, e.g. User management
> > must be part of this UI.
> >  - Product Admin UI has it's own url and is executed in product
> > environment  e.g. http://bla/main/productX/admin - Product admin can
> > assign product specific permissions to user but cannot CRUD users,
> > change system specific settings.
> >  - Product environment should protect from changing of system settings
> > and multi-product instances such as Users. For example, Product Admin
> > (with TRAC_ADMIN permission on specific product) cannot change DB
> > connection string. That can be tricky :) I don't yet feel myself
> > confident enough to say how this can be implemented. May be kind of
> > black list of system settings?
> > Comment, please.
> >
> > Regards, Andrej
> >
>
>
>
> --
> Joe Dreimann
> UX Designer | WANdisco <http://www.wandisco.com/>
> *
> *
> *Transform your software development department. Register for a free SVN
> HealthCheck <http://go.wandisco.com/HealthCheck-Sig.html> *
>

--f46d044630069a6c7d04d3e1cb08--