shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Les Hazlewood <lhazlew...@apache.org>
Subject Re: Instance level security w/ Permissions
Date Mon, 26 Jan 2009 17:26:01 GMT
On Mon, Jan 26, 2009 at 11:58 AM, Daniel J. Lauk <daniel.lauk@gmail.com>wrote:

> Les, Peter,
>
> thanks for the details.
>
> >> Instance-level permissions are very powerful indeed, however, you don't
> >> want to create hundreds or thousands of them.  Typically my applications
> use
> >> a mix of logic that requires knowledge of how the application works as
> well
> >> as permission checks:
>
> So reducing the count of entries in the DB will speed things up? ;-)


:)

>> Based on your example, I would only check if someone is allowed to review
> >> an entry if they are NOT the reviewer already assigned to the entry.
>
> Well, actually, nobody but the assigned reviewer is allowed.
> As I will have the field around for DB queries anyway, I guess that
> permissions don't add value from the app logic point of view.


Well, that depends on your app logic ;)

For example, most of my applications have a 'root' user and/or a
'administrator' role.  Now, when the root user logs in, or someone who has
the 'administrator' role logs in, I would want them to be able to see the
entry if they so desired.  The 'administrator' role would be assigned the
"entry:review" permission, allowing them to 'review' any entry.  Again, that
would be my desire for my application - your application may not allow even
an administrator to see such a thing.

Nevertheless they add value from the point of view that permissions go
> along with functionality as opposed to roles.


Absolutely correct.

In permission-based systems, Permissions describe raw application
functionality - they are the 'what' can be done in an application and have
no concept of 'who' can do something.

Similarly a Role is merely a named collection of Permissions. They aggregate
raw functionality into a 'bundle' of sorts that describes the ability to do
multiple things.  There is still no 'who' at this level.

The users are the 'who'.  'Who' can do 'what' is usually achieved by
assigning one or more roles to a user, for example,
user.getRoles().add(aRole);

If you have a dynamic role system, where you can add/delete roles at
runtime, your application code _must_ check against permissions, not roles.

Cheers,

Les

Mime
View raw message