[Cosmo-dev] current-user-privilege-set and tickets
Brian Moseley
bcm at osafoundation.org
Sat Aug 26 16:10:33 PDT 2006
On 8/23/06, Lisa Dusseault <lisa at osafoundation.org> wrote:
> What do you see as a different use case? Why would a user want to
> know if they have write permission and care whether they've obtained
> it via a ticket or ACL?
i don't have any use case in mind. i'm just advocating for security
conscious clients that may or may not exist today or in the future
that may or may not care about the difference.
> I don't follow the argument. I agree ACL queries are one thing, and
> ticket queries are another, but CUPS basically asks "What can I do on
> this resource right now?" and thus the answer can ignore those
> tickets that aren't relevant to the permissions that would be applied
> to this user/session/request. Perhaps CUPS would have been better
> named "Current context privilege set" or just "current privilege
> set"; if it were would you feel the same way about it?
no, i'd be fine with merging all the permissions ;)
i understand that tickets and other access control schemes weren't
necessarily on peoples' minds when the access control spec was
written, but the name of the property sets a particular expectation, i
think.
anyway, i don't care *that* much. if everybody else thinks it's a
great idea to combine user and ticket permissions (and group too?)
into c-u-p-s, then i withdraw my objection.
More information about the cosmo-dev
mailing list