blob: 0e570590701f35497596c8bd475a0cdd10a8af59 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
Group ACLs
the rights:
CreatePersonalGroup
CreateGroup
AdminGroup
* Update group metadata and access control list
AdminGroupMembers
* Add ad delete members of this group
ModifyOwnMembership
* Join and quit this group
the primitives:
In user.pm
=item HasRight { Right => 'somerightname', ObjectType => 'Group', ObjectId => 'GroupId'
Returns true if this user has the right 'somerightname' for
the group with id 'Id'
=cut
=item RightsForObject { ObjectType => 'Group', ObjectId =>'GroupId' }
in users.pm
=item WhoHaveRight { Right =>'somerightname', ObjectType => 'Group', ObjectId => 'GroupId' }
Finds all users who have the right 'somerightname' for the group
in question.
If a user has "AdminGroupMembers" globally and we ask about
group 23, that user should be found.
=cut
Users must be able to delegate individual rights
* Is it that users can delegate any and all rights but it's
only rights they _have_ which actually grant rights.
rights must not be redelegated
users must be able to create groups to which rights can be delegated.
Only users who have the "delegate rights" right can delegate rights.
When a user's right to do something is revoked, the delegation must
be revoked
* For any delegated ACL check, the delegator's right must be
checked immediately after the delegatee's right.
If a user has had a right delegated by multiple parties,
this may mean that we need to actually loop through and check
a bunch of possible delegations. Or can we craft a "has delegated
right" ACL check.
ACL 1 Group Q has the right to Frob ObjectI.
ACL 2 User A has the right "DelegateRights"
Group Q has the member Group S
Group S has the member Group R
Group S has the member Group T
Group R has the member user A
Group T has the member user A
User A delegates to Group P the right to Frob ObjectI
New ACL rule:
ACL 3: Group P has the right to Frob ObjectI
as delegated from ACL1 by User A
In the case where ACL1 is revoked:
find all acls which are delegated from ACL1.
Delete them
In the case where User A is removed from group R
Get the list of all groups that A was in by way of group R before the removal
Get the list of all groups that A is in _after_ the removal.
Find all the ACEs granted to each group that A is no longer in.
For each ACE in that list, find all the rights that A has delegated.
Whack them.
In the case where Group S is removed from group Q
Get a list of all groups that S was in by way of Q before the removal
Call this list O.
For each user X who's a member of S (directly or indirectly):
Get a list of all groups that X is in after removal.
For each group in O that X is no longer a member of:
Find all ACEs granted to O
For each ACE, look up all the delegations that X has made.
For each delegation
WHACK IT
|
