incubator-clerezza-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reto Bachmann-Gmuer <reto.bachm...@trialox.org>
Subject Re: setting permissions on a graph?
Date Mon, 21 Mar 2011 18:59:14 GMT
On Mon, Mar 21, 2011 at 3:56 PM, Henry Story <henry.story@bblfish.net>wrote:

> I the WebIdGraphsService a permission on a graph in set by calling
>
>
> tcManager.getTcAccessController.setRequiredReadPermissionStrings(localGraphUri,
> List(new TcPermission(Constants.CONTENT_GRAPH_URI_STRING,
> TcPermission.READ).toString))
>
> I don't understand what
> Constants.CONTENT_GRAPH_URI_STRING
>
> has to do in there. I am not sure how to read the
> setRequiredReadPermissionStrings method.
>
This methos sets a permission required to read from a specified graph. By
default to read from a graph named <http://foo/> one needs the permission

 (org.apache.clerezza.rdf.core.access.security.TcPermission "http://foo/"
"read")

By calling setRequiredReadPermissionString one can set an arbitary list of
permissions the user requires to read from a TripleCollection .If the method
has been called the set permissions are required instead of the default
permssion to read from a Graph. For example calling

tcManager.getTcAccessController.setRequiredReadPermissionStrings(recipiesGraphUri,
List("(org.example.CookingPermission \"\" \"\""))

would cause the recipiesGraph to be readable by anyone who has
CookingPermission.

The effect of the example you quote is that anyone who has readpermission on
the content graph is allowed to read from the graph denoted by
localGraphUri.
>
>
> Also is it called setRequiredReadPermissionStrings when you can set read or
> write permissions?
>
With setRequiredReadPermissionStrings you can set arbitrary permissions that
are the all required to read a specified triple collection, it doesn't
matter how the permissions are called.


> Why not just setPermissions?
>
Because it shall be possible (and we generally want) to set different sets
of permission required for reading and for writing.


>
> I would like to have a graph for each user with an account, to which every
> agent on the web - even anonymous users - can write, but where the deleting
> is going to be very restricted.

There is no distinction between writing and deleting, one is either alloed
to modify an MGraph or isn't. If an application wants to allow users adding
information to a graph but not removing information the it should do the
graph access as priviledged after possibly checking that the user has the
right the permssion required by the application (no ckeck required in your
case).


> I also want to filter that graph so that each agent can only see what he
> wrote to the graph.
>
In this case you should create a distinct graph for every user, the user
will write and read to this graph, while others might access the union of
all these graphs.


> The point of this graph is for people using other CMSes to be able to send
> pings to a Clerezza user in order to notify him for example that she was
> added to someone's foaf profile for example.
>
I'm wondering if it is a required features that users can see what the wrote
to this graph. Also I'm wondering what the advantages of such an inbox-graph
is, would the owner of the mailbox frequently want to see the merge from all
the added graphs?


>
> I am not quite sure what permissions I should set on that graph... If there
> was to be a permission restriction, it might be for certain code to be able
> to write to that graph - the ping code for example.
>
To me its still hard to see what exactly you're envisaging, spontaneously I
think only the owner of the mailbox should have permissions on the graph and
have code which adds triples on behalf of other users which do not themself
have write-right to the graph.

Cheers,
Reto

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message