[Date Prev][Date Next]
Re: querying ACLs
> Is it possible to "query" what permissions an "entity" has prior to
> them trying to make a change or addition? In context, I'm writing an
> app that has different levels of editing based on who you are / what
> groups you're in etc.
>>From majority of examples I've seen this seems to be a try fail sort
> of thing, try to edit, if it fails you report the error (usually no
> permissions). It would be really handy to turn that around and query
> the server first and give an interface to the user which only has
> parts they can edit as editable - I could code in which groups have
> access etc but then if I add extra groups to the ACL I'll need to
> change code ... simply trying to modify every attribute then catching
> / reporting failures or using this to work out what they can edit just
> feels dirty and surely isn't very efficient - is there an alternative?
This is more of an LDAP usage question, rather than about OpenLDAP software.
You'd be better served by pinging:
Why not use roles/groups?
As for "I could code in which groups have access etc but then if I add
extra groups to the ACL I'll need to change code", this is just bad coding
Have your code send a query for groups that are allowed to do things i.e.
another entry with for an action/ACL, with groups as attributes that can
perform these actions. Then do another query to check the users are in
that group. Or do some & searches etc.
Please shout all if I'm talking rubbish ;-)
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
Open Source. Open Solutions(tm).