Re: querying ACLs

["Gavin Henry" <ghenry@suretecsystems.com>]

<quote who="Shane">
> Hi,
>
> Is it possible to "query" what permissions an "entity" has prior to
> them trying to make a change or addition? In context, I'm writing an
> app that has different levels of editing based on who you are / what
> groups you're in etc.
>
>>From majority of examples I've seen this seems to be a try fail sort
> of thing, try to edit, if it fails you report the error (usually no
> permissions). It would be really handy to turn that around and query
> the server first and give an interface to the user which only has
> parts they can edit as editable - I could code in which groups have
> access etc but then if I add extra groups to the ACL I'll need to
> change code ... simply trying to modify every attribute then catching
> / reporting failures or using this to work out what they can edit just
> feels dirty and surely isn't very efficient - is there an alternative?
>
> TIA
> Shane.
>

This is more of an LDAP usage question, rather than about OpenLDAP software.

You'd be better served by pinging:

http://www.umich.edu/~dirsvcs/ldap/mailinglist.html

Why not use roles/groups?

As for "I could code in which groups have access etc but then if I add
extra groups to the ACL I'll need to change code", this is just bad coding
;-)

Have your code send a query for groups that are allowed to do things i.e.
another entry with for an action/ACL, with groups as attributes that can
perform these actions. Then do another query to check the users are in
that group. Or do some & searches etc.

Please shout all if I'm talking rubbish ;-)

Thanks.

-- 
Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretecsystems.com

Open Source. Open Solutions(tm).

http://www.suretecsystems.com/