Re: delete permission

[Bruce Greenblatt <bgreenblatt@directory-applications.com>]

>>
>> > David,
>> >
>> > On relating the subtreeACI and subtree operation...
>> >
>> > My thinking is that if there is a subtreeACI with a delete permission,
>> > then when the subtree delete operation is executed on the server, the
>> > subtreeACI is checked for delete permission and since it is set the
>> > subtree operation succeeds.
>>
>>Not so. There may be an entry somewhere in the subtree that
>>forbids the deletion of that single entry. Therefore the subtree
>>delete should fail, as the client does not have permission to delete
>>the whole tree. This is why I said that separation of the ACI into two
>>attributes made no difference at all.
>
>(EJS)  I now see your point.
>
>

A seperate but related issue to how the delete permission overrides the
delete subtree permission, is the more general problems of how to treat
overlapping permissions.  I don't know that there needs to be a general
treatment, but when a new permission that is defined overlaps with a
previously defined permission, there should be some discussion of the
relationship.  Any thoughts?

Bruce
==============================================
Bruce Greenblatt, Ph. D.
Directory Tools and Application Services, Inc.
http://www.directory-applications.com
See my new Book on Internet Directories:
http://www.phptr.com/ptrbooks/ptr_0139744525.html