jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Meschberger <fmesc...@gmail.com>
Subject Re: Group denies
Date Tue, 07 Jul 2009 13:03:12 GMT
Hi

This might get off-topic, and already discussed on this list, so please
forgive me ....

Angela Schreiber schrieb:
> hi
> 
>> I am wondering the reasoning behind not allowing a deny for a set of
>> permissions to be allowed on a group ?
> 
> original change behind was that david wished the group membership
> to be stored together with the authorizable and not with
> the group itself.

Really ? So Jackrabbit would be the only system in the world doing this ?

> 
> while discussing that change, we (chris/david/angela) were also
> talking about the 'order' of group membership and the problem
> denies impose... consequently david opposed to having denies
> for groups in general. that's why i add the check in jackrabbit.

Group memberships should IMHO not have an inherent order ... Otherwise
all kinds of problems arise not the least the question of "how to define
this ordering".

> 
> just for your information: we had the same discussion again
> last week, reconsidering that decision once again...

Here ? What's the final state then ?

Regards
Felix

> 
>> Which appears to be contrary to the advice given in [1], assuming CRX
>> is using the same or similar code.
> 
> please note: crx != jackrabbit.
> crx 1.4 is not using the same code. the original patch for
> user/ac management posted by chrisk (see JCR-1171) is derived
> from crx and has been heavily modified in order to match the
> requirements from jsr 283.
> 
> for the future of crx security stuff please direct yourself
> to day directly.
> 
> 
> angela
> 

Mime
View raw message