X-Git-Url: http://git.freeside.biz/gitweb/?p=freeside.git;a=blobdiff_plain;f=rt%2Fdocs%2Fdesign_docs%2Fdelegation;fp=rt%2Fdocs%2Fdesign_docs%2Fdelegation;h=0000000000000000000000000000000000000000;hp=0e570590701f35497596c8bd475a0cdd10a8af59;hb=43a06151e47d2c59b833cbd8c26d97865ee850b6;hpb=6587f6ba7d047ddc1686c080090afe7d53365bd4 diff --git a/rt/docs/design_docs/delegation b/rt/docs/design_docs/delegation deleted file mode 100644 index 0e5705907..000000000 --- a/rt/docs/design_docs/delegation +++ /dev/null @@ -1,115 +0,0 @@ -Group ACLs - - the rights: - - - CreatePersonalGroup - CreateGroup - - AdminGroup - * Update group metadata and access control list - AdminGroupMembers - * Add ad delete members of this group - ModifyOwnMembership - * Join and quit this group - - - the primitives: - -In user.pm - -=item HasRight { Right => 'somerightname', ObjectType => 'Group', ObjectId => 'GroupId' - - Returns true if this user has the right 'somerightname' for -the group with id 'Id' - -=cut - - -=item RightsForObject { ObjectType => 'Group', ObjectId =>'GroupId' } - -in users.pm - -=item WhoHaveRight { Right =>'somerightname', ObjectType => 'Group', ObjectId => 'GroupId' } - - - Finds all users who have the right 'somerightname' for the group -in question. - - If a user has "AdminGroupMembers" globally and we ask about - group 23, that user should be found. - -=cut - -Users must be able to delegate individual rights - - * Is it that users can delegate any and all rights but it's - only rights they _have_ which actually grant rights. - -rights must not be redelegated - -users must be able to create groups to which rights can be delegated. - -Only users who have the "delegate rights" right can delegate rights. - - -When a user's right to do something is revoked, the delegation must -be revoked - - * For any delegated ACL check, the delegator's right must be - checked immediately after the delegatee's right. - If a user has had a right delegated by multiple parties, - this may mean that we need to actually loop through and check - a bunch of possible delegations. Or can we craft a "has delegated - right" ACL check. - - - - - - - -ACL 1 Group Q has the right to Frob ObjectI. -ACL 2 User A has the right "DelegateRights" - -Group Q has the member Group S -Group S has the member Group R -Group S has the member Group T -Group R has the member user A -Group T has the member user A - -User A delegates to Group P the right to Frob ObjectI - - New ACL rule: - - ACL 3: Group P has the right to Frob ObjectI - as delegated from ACL1 by User A - - -In the case where ACL1 is revoked: - - find all acls which are delegated from ACL1. - Delete them - -In the case where User A is removed from group R - - Get the list of all groups that A was in by way of group R before the removal - Get the list of all groups that A is in _after_ the removal. - - Find all the ACEs granted to each group that A is no longer in. - For each ACE in that list, find all the rights that A has delegated. - Whack them. - -In the case where Group S is removed from group Q - - - Get a list of all groups that S was in by way of Q before the removal - Call this list O. - - For each user X who's a member of S (directly or indirectly): - Get a list of all groups that X is in after removal. - For each group in O that X is no longer a member of: - Find all ACEs granted to O - For each ACE, look up all the delegations that X has made. - For each delegation - WHACK IT