incubator-bloodhound-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joachim Dreimann <joachim.dreim...@wandisco.com>
Subject Re: [BEP-0003] [RFC] Permissions in product scope
Date Tue, 22 Jan 2013 13:43:00 GMT
I'm a bit concerned about the complexity of some of those suggestions. I
think they should be:

1. Product owner(s) === PRODUCT_ADMIN;
2. Administration area is the same for all admin levels, just filtered by
permissions.
3. Product owners have control over the product, not the environment (as
Olemis suggested).

I believe it should be our goal to take more of the functionality of the
'admin' screens (especially the Ticket System section) and display them in
the regular UI itself.

That sums it up for me.

- Joe


On 22 January 2013 13:15, Andrej Golcov <andrej@digiverse.si> wrote:

> > 7. At present components check for TRAC_ADMIN permission explicitly .
> > Some checks might be true for product admins but others do not.
> How does Trac should know when it is the case? That can be quite
> complex and and potentially brings inconsistent behavior.
>
> I have in mind a little different solution that also has some
> drawbacks but provides consistent behavior:
>  - Site Admin has TRAC_ADMIN permission for parent environment.
>  - Product Admin has  TRAC_ADMIN permission for specific product
> environment.
>  - Check TRAC_ADMIN permission in product environment should return
> True for Site Admin. IOW, Site admin is also admin for all products.
>  - Site Admin UI has it's own url and is executed in parent
> environment e.g. http://bla/main/admin - The functionality of the UI
> can be quite different from Product Admin UI, e.g. User management
> must be part of this UI.
>  - Product Admin UI has it's own url and is executed in product
> environment  e.g. http://bla/main/productX/admin - Product admin can
> assign product specific permissions to user but cannot CRUD users,
> change system specific settings.
>  - Product environment should protect from changing of system settings
> and multi-product instances such as Users. For example, Product Admin
> (with TRAC_ADMIN permission on specific product) cannot change DB
> connection string. That can be tricky :) I don't yet feel myself
> confident enough to say how this can be implemented. May be kind of
> black list of system settings?
> Comment, please.
>
> Regards, Andrej
>



-- 
Joe Dreimann
UX Designer | WANdisco <http://www.wandisco.com/>
*
*
*Transform your software development department. Register for a free SVN
HealthCheck <http://go.wandisco.com/HealthCheck-Sig.html> *

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message