incubator-bloodhound-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrej Golcov <and...@digiverse.si>
Subject Re: [BEP-0003] [RFC] Permissions in product scope
Date Tue, 22 Jan 2013 13:15:30 GMT
> 7. At present components check for TRAC_ADMIN permission explicitly .
> Some checks might be true for product admins but others do not.
How does Trac should know when it is the case? That can be quite
complex and and potentially brings inconsistent behavior.

I have in mind a little different solution that also has some
drawbacks but provides consistent behavior:
 - Site Admin has TRAC_ADMIN permission for parent environment.
 - Product Admin has  TRAC_ADMIN permission for specific product environment.
 - Check TRAC_ADMIN permission in product environment should return
True for Site Admin. IOW, Site admin is also admin for all products.
 - Site Admin UI has it's own url and is executed in parent
environment e.g. http://bla/main/admin - The functionality of the UI
can be quite different from Product Admin UI, e.g. User management
must be part of this UI.
 - Product Admin UI has it's own url and is executed in product
environment  e.g. http://bla/main/productX/admin - Product admin can
assign product specific permissions to user but cannot CRUD users,
change system specific settings.
 - Product environment should protect from changing of system settings
and multi-product instances such as Users. For example, Product Admin
(with TRAC_ADMIN permission on specific product) cannot change DB
connection string. That can be tricky :) I don't yet feel myself
confident enough to say how this can be implemented. May be kind of
black list of system settings?
Comment, please.

Regards, Andrej

Mime
View raw message