Forum OpenACS Development: Permission question

Posted by Malte Sussdorff on 09/14/02 11:39 PM

It's probably somewhere out there in the design docs, but: Is it
possible to give someone read and/or write access to all the objects
of a different user? I was thinking of the secretary that needs to
keep a calendar of her boss up to date as well as edit some of his
memos before sending them out aso. I know, you can put her and her
boss into one group, give both read/write access to group objects and
there you go. But maybe there is a more elegant way (or can be
implemented in 4.7).

2: Response to Permission question (response to 1)

Posted by John Mileham on 09/15/02 12:16 AM

Here's one possibility that depends greatly on the behavior of the various
apps used to create the data that the secretary needs to edit. You could grant
the secretary "write" on the boss. If all the apps that the boss uses on the site
set the data's context ID to the boss himself, then that'll do the trick.

This would have the potentially adverse side effect of giving the secretary
write permissions on the boss's user profile, which might be a good thing in
your case.

Of course if the boss does things in content-centric applications (as opposed
to user-centric apps like personal calendars, etc), the chances that those apps
set the context_id of the data that he/she creates to his/her user_id (either
directly or through inheritence) is significantly lower, so the plan would likely
break down under a number of circumstances. This would be an easy but
highly inflexible hack.

Probably the most effective and clean method would be to create a new rel
type with similar semantics to the composition rel, but one that allows both
sides to be users. That would create a sort of setuid-style permissions
inheritence from the first party to the second. It's been a while since i hacked
around in the party_element_index denormalization, so it's hard to for me to
say off-hand whether this would be easy or hard, but i'd imagine it's either a 5
minute fix or a rather intense edit of some pretty complicated triggers to make
it all work. Either way, that sounds like it would be a cool feature to have.

3: Response to Permission question (response to 1)

Posted by Tilmann Singer on 09/20/02 01:43 AM

From the too-late-and-obvious-answers-department: For the particular example the most practical way would propably be to explicitely give the secretary write permission to the boss's calendar object.

There are other situations where creating an extra group would make more sense.