PUSecurity

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

PUSecurity

Nick
Hi,

I'm struggling to understand how to use Pier Security. I have a number of different types of users (registeredUsers, projectOwners, AdminUsers, ....). I'd like to enable user specific options on the main pages, and restrict access to specific pages and commands to groups of users. I've grouped my users into different PUGroup s . Then without entirely understanding the intent of the code in PRDistribution>>root :

self rootPage enumerator
with;
all;
do: 
[ :each | 
each securityDecoration owner: self kernel users anyOne.
each securityDecoration group: self kernel groups anyOne ].
self makePrivate: self systemPage.

I modified my own configuration code to read:

self homePage enumerator
with;
all;
do: 
[ :each | 
each securityDecoration owner: self kernel users anyOne.
each securityDecoration group: self kernel groups anyOne.
each securityDecoration group: self kernel registeredUserGroup.
each securityDecoration group: self kernel projectUserGroup.
each securityDecoration group: self kernel adminUserGroup.
].

I can see that PUSecurity>>hasPermission:for: and PRStructure>>isAllowedCommand:in: should reveal the secrets of how security is designed to work, however the following code assumes all decorations satisfy the conditions

PRStructure>>isAllowedCommand:in: 
^ self decorations allSatisfy: [ :each |
each
isAllowedCommand: aCommandClass
in: aContext ] 



In my case this tests fails as not all decorations are allowed. For example if a user is in the group "projectOwners", isAllowedCommand:in: fails for the security decorator for "registeredUserGroup" and "adminUserGroup". With my limited understanding I would have expect the above loop to read "anySatisfy:" rather than "allSatisfy" . 

Clearly I've a misunderstanding about how Pier security is designed to function. Any pointers gratefully received.

Thanks

Nick

_______________________________________________
Magritte, Pier and Related Tools ...
https://www.iam.unibe.ch/mailman/listinfo/smallwiki
Reply | Threaded
Open this post in threaded view
|

Re: PUSecurity

Lukas Renggli
> each securityDecoration owner: self kernel users anyOne.
> each securityDecoration group: self kernel groups anyOne ].

The code above uses #anyOne under the assumption that there is only a
single user, as soon as you have more users this doesn't work anymore.

> each securityDecoration owner: self kernel users anyOne.
> each securityDecoration group: self kernel groups anyOne.
> each securityDecoration group: self kernel registeredUserGroup.
> each securityDecoration group: self kernel projectUserGroup.
> each securityDecoration group: self kernel adminUserGroup.

PUSecurity only has one group and one owner, if you call it multiple
times you override the previous setting.

> Clearly I've a misunderstanding about how Pier security is designed to
> function. Any pointers gratefully received.

PUSecurity works like file-permissions in Unix. A structure has a
single owner and a single group assigned. Furthermore the allowed
commands can be assigned for each structure to the owner of the
structure, the group of the structure and all other users (anybody
that is not the owner and not within the group). Finally there is a
user-specific flag called 'superuser' that gives all the permissions
in all contexts and avoids any security checks.

Lukas


--
Lukas Renggli
http://www.lukas-renggli.ch
_______________________________________________
Magritte, Pier and Related Tools ...
https://www.iam.unibe.ch/mailman/listinfo/smallwiki