MidCOM ACL

From OpenPSA Wiki

Jump to: navigation, search

MidCOM versions newer than 2.4 provide Access Control Lists where privileges can be assigned to users or content objects. The MidCOM Service midcom.services.auth holds the necessary functionality. The MidCOM Component midcom.admin.acl provides an editor for privileges.

Privileges can be assigned to Groups, Persons and magic assignees, like 'EVERYONE', 'ANONYMOUS' or 'USERS'. The MidCOM DBA method get_class_magic_default_privileges can be used to set default privileges for all objects of a DBA type.

By default, the following privileges are available:

Midgard Core Privileges

These privileges are part of the MidCOM Database Abstraction Layer (MidCOM DBA) and are available to all MgdSchema based objects. They will move into the core level eventually, but for the time being MidCOM will control them. .

  • midgard:read controls read access to the object, if denied, you cannot load the object from the database. This privilege is granted by default, and supercedes the current ViewerGroups implementation.
  • midgard:update controls updating of objects. Be aware that you need to be able to read the object before updating it, it is granted by default only for owners.
  • midgard:delete controls deletion of objects. Be aware that you need to be able to read the object before updating it, it is granted by default only for owners.
  • midgard:create allows you to create new content objects as childs on whatever content object that you have the create privilege for. This means you can create an Article if and only if you have create permission for either the parent Article (if you create a so-called 'reply article') or the parent Topic, it is granted by default only for owners.
  • midgard:parameters allows the manipulation of Parameters on the current object if and only if the user also has the midgard:update privilege on the object. This privileges is granted by default and covers the full set of parameter operations (create, update and delete).
  • midgard:attachments is analogous to midgard:parameters but covers Attachments instead and is also granted by default.
  • midgard:autoserve_attachment controls whether an Attachment may be autoserved using the midcom-serveattachment handler. This is granted by default, allowing every attachment to be served using the default MidCOM URL Method. Denying this right allows component authors to build more sophisticated access control restrictions to attachments.
  • midgard:privileges allows the user to change the permissions on the objects they are granted for. You also need midgard:update and midgard:parameters to properly execute these operations.
  • midgard:owner indicates that the user who has this privilege set is an owner of the given content object.

MidCOM Core Privileges

  • midcom:approve grants the user the right to approve or unapprove objects.
  • midcom:component_config grants the user access to configuration management systems in AIS. Components implementing these screens must check this privilege manually, while the midcom_baseclasses_components_request_admin baseclass does this implicitly when accessing the config screen (you still need to control toolbar links yourself), it is granted by default only for owners.
  • midcom:isonline is needed to see the online state of another user. It is not granted by default.
  • midcom:vgroup_register allows the user to add virtual groups to the system. This privilege is granted by default.
  • midcom:vgroup_delete allows the user to delete virtual groups from the system. This privilege is granted by default.


Weblinks

ACL editor entry in Henri Bergius's weblog
MidCOM RFC on Access Control (outdated)
nehmer.net ACL tutorial
Retrieved from "http://wiki.openpsa2.org/index.php/MidCOM_ACL"
Personal tools