Quick Question about ACL Behavior
October 5th, 2008 by Dario Solera | Filed under Community, Security, Software Design.The ACL engine is on its way and proceeds quite fast.
I’m writing a lot of unit tests for the code that decides whether or not an action is allowed, because a security breach won’t be easy to spot in a running system. However, I found myself laying out a test for the case in which a user or group has a grant for the root namespace (say, she can edit pages), and no other information is available for a sub-namespace. If namespaces were folders, the permission would be inherited and the user would be allowed to edit pages in the sub-namespace, but namespaces are designed to be more like sub-wikis rather than simple collections of pages. I think they are not semantically nested one into another.
The question is: should permissions be inherited in sub-namespaces from the root namespace? I think they should not, but I’m asking your opinion. The differences in the code are just a few lines, so that is not a problem for once.
Update. After thinking about this problem a little more, and also reading Will’s comment, I think the best option is to inherit permissions from the root namespace. This way ACLs are really an opt-in feature, and administrators don’t have to worry about them if they find the default settings satisfying. Thoughts?
New Posts
I think they should, as that’s the expected behavior. Besides, how would you set permissions for users on all sub-wikis at once?
Every user should be given default read only permissions on the root. If a sub-wiki is private, the ability to rewrite inherited rights (think of how this is done in web.config) to deny the default behavior would be needed.
All in all, I believe you should ape the current paradigms for no other reason that people will expect them to behave that way and until they learn that it doesn’t they’ll have issues requiring support.
I see what you mean Will, and I find it reasonable. After all, the creation of a new namespace happens rarely, if ever, and the administrator who does it should take care of the permissions if she wants.
ACLs should be an opt-in feature for me, and inheriting from the root is the behavior that requires the least effort for the admins.
I agree with Will.