Kurt D. Zeilenga wrote:
In fact, in my patch "write" is a level, and "add" and "delete" are qualifiers of that level. So, both "add" and "delete" qualify for the "write" level, but apply to separate types of "write". When one specifies "write", it means that one is requesting all levels up to "write", as usual, while "a" and "z" can only be specified as privileges, i.e. in the "+a" form.I not sure it makes sense to regard "add" and "delete" as separate levels from "write", nor can I (if the levels are added) how to order "add" and "delete"... seems there are reasonable arguments that add>delete and delete>add or add<>delete.
Maybe we just need to split the "w"rite permission into "a"
(add) and "z" (delete), where =w is equivalent to =az,
but not add levels for add and delete?
BTW, is this mainly aimed at entry add/delete controls?It applies to both. The patch also addresses the modify operation: add is required for additions, delete for deletions and both for replacements.
or attribute add/delete controls?
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497