[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Checking write permission from a perl script
I agree,
the access controls in many services such as the ldap service are limited
and for performance reasons should be used in a minimalistic manner. Therefore
the user interface should control the accessability to information then act as
a proxy to perform the modifications for the requester.
Some will say that the access controls of open ldap are extensive particular
if using group memeberships as part of the access control rules, yes but the
performance is inhibited by the methods used to determine groups memberships.
For this reason I have deployed master slave services where the master is used
for all updates and has all the access controls under sun but the slaves,
being used for reading only by particular clients, have very minimalistic
acl's.
I recently attempted to track down the code used to determine if an attribute
has an index and to then use it with a view to patching the process into the
acl determination. After half an hour I finally tracked it down. I ran out of
time to try a patch but I beleive it could be done but there would negative
performance gains if the groups used are small. My gut reaction would be that
it would be worth while to try.
Cheers,
Gerrit Thomson.
Dustin Sallings wrote:
> On Thu, 4 May 2000, Chris Garrigues wrote:
>
> # > I'm having a hard time imagining where that would be useful. What
> # > are you trying to do?
> #
> # I don't want to offer to my user the opportunity to change things that
> # can't be changed.
>
> Ahh...that makes sense. You need to be prepared for the thing to
> fail either way, but from a UI point of view, it is a good idea to just
> not show something. The way I handle that in my own tools is to have the
> interface understand what groups are allowed to do which things, and have
> the list of groups the user is in stored in the application. Then I just
> do something like (obviously pseudo-code):
>
> if(user_is_in_group("blah")) {
> showOption("options_requiring_blah");
> }
>
> --
> SA, beyond.com My girlfriend asked me which one I like better.
> pub 1024/3CAE01D5 1994/11/03 Dustin Sallings <dustin@spy.net>
> | Key fingerprint = 87 02 57 08 02 D0 DA D6 C8 0F 3E 65 51 98 D8 BE
> L_______________________ I hope the answer won't upset her. ____________