incubator-esme-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Hirsch <>
Subject Re: ESME-87 - delete user from pool
Date Wed, 28 Oct 2009 16:09:37 GMT
Sounds good.

Regarding the recording of permision changes, you will have to create
a new db table since you can't create files in the stax env.


On Wed, Oct 28, 2009 at 4:34 PM, Vassil Dichev <> wrote:
>> This patch is committed and deployed on stax.
> OK, I took a look at the "delete user" patch. It does what's defined
> in the issue, but I intend to correct the following deficiencies:
> * there's no check on the server side whether I am an administrator
> for the pool I want to delete a user from. This means that I could
> conceivably forge a request with any pool id and delete a user from a
> pool I'm not authorized to administer
> * eventually this has to be implemented in RestAPI as well. This means
> that AccessPoolMgr is not the right place for this method, since
> there's going to be code duplication. This is something we want to
> avoid as it will make maintenance harder. Note that there's a
> duplication of the exact same query in Privilege already, since it
> needs to do the same thing when you demote a user's rights!
> * it would be desirable to have some sort of history tracking of
> privilege changes, so we want to have the code more flexible in order
> to do this easiear. If deleting a permission is represented by another
> status type- NoPermission (as I've hinted before), we could implement
> this easily by having for instance a timestamp field indicating when
> the permission was activated.
> Still, there's a lot going on in this small bit of code:
> - Lift binding is used
> - The lift mapper queries the DB
> - Interaction between actors using messages
> Given that, I'd say the patch is a good start for a complicated task like this.

View raw message