[schooltool-dev] schooltool security policy enhancement?
Paul Carduner
paulcarduner at gmail.com
Mon Jun 18 17:23:57 EDT 2007
I would like to suggest some additions to SchoolTool's security policy.
The allow directive should also accept attributes and class. If a
class is specified then you cannot specify an interface. This would
allow finer grained control of permissions. Here is a usecase:
Our Journal objects have a set of managers and a set of members, and
these two attributes are likewise included in the IJournal interface,
along with title and description. You must have the schooltool.edit
permission to modify any of these attributes, and schooltool.view to
read any of these attributes. I want to give teachers the
schooltool.edit permission for everything in the IJournal interface,
in which case the current security policy works fine. I want to give
students the ability to modify the title and description but not
members or managers. With the current system that would mean creating
a new interface with just the members and managers attributes and then
add another allow directive for this interface. The additional lines
are:
IHaveMembersAndManagers(Interface):
members = Attribute('blah blah blah')
managers = Attribtue('blah blah blah')
<allow
interface="IHaveMembersAndManagers"
permission="schooltool.edit"
crowds="teachers" />
on the other hand, if allow also took attributes, the additional lines would be
attributes="title description"
attributes="members managers"
(in the right places of course)
Thoughts? Am I missing something that makes this already possible?
- Paul
More information about the Schooltool-dev
mailing list