Commit b39a53b1b9d9e6db93bf36617b026de9ad3dc379
1 parent
e78cd457
some more stuff in rbac files...still nothing really useful, but finally I have …
…more or less an idea how to implement it
Showing
2 changed files
with
73 additions
and
6 deletions
... | ... | @@ -28,13 +28,29 @@ |
28 | 28 | #include "class.h" |
29 | 29 | #include "storage/storage.h" |
30 | 30 | |
31 | +/** | |
32 | + * These might be hardcoded within the application. | |
33 | + * In fact, as we are creating a restful CRUD application we might | |
34 | + * consider not having these at all but define that each resource | |
35 | + * might potentially have either Create, Read, Update and Delete | |
36 | + * actions. | |
37 | + * | |
38 | + * Suggestion Actions as Bitmask... | |
39 | + */ | |
40 | +typedef enum e_ResourceActions { | |
41 | + CREATE = 1, | |
42 | + READ = 2, | |
43 | + UPDATE = 4, | |
44 | + DELETE = 8 | |
45 | +} ResourceAction; | |
46 | + | |
31 | 47 | |
32 | 48 | CLASS(Permission) { |
33 | - char id[37]; | |
34 | - unsigned long hash; | |
49 | + char id[37]; | |
50 | + unsigned long hash; | |
35 | 51 | |
36 | - char * resource; | |
37 | - int action; | |
52 | + char * resource; | |
53 | + ResourceAction action; | |
38 | 54 | }; |
39 | 55 | |
40 | 56 | #endif // __PERMISSION_H__ | ... | ... |
... | ... | @@ -41,9 +41,60 @@ CLASS(Role) { |
41 | 41 | * \todo We need a good way to serialize a hash. |
42 | 42 | * If I can't find any I should choose a different |
43 | 43 | * data structure here...but I think there is a way. |
44 | + * And as there is none I will change this to simple | |
45 | + * arrays and add an index to them that is a hash. | |
46 | + * The arrays could even be static. | |
47 | + * When a role is load the index on permissions and | |
48 | + * users is updated each time. | |
49 | + * The longer I think about it the less I think this | |
50 | + * role based approach is good... | |
51 | + * Each user is able to create resources (tasks, | |
52 | + * projects, etc.) but in the first place these should | |
53 | + * only be accessible for her/him. Then he should be | |
54 | + * able to allow other users or groups of users to | |
55 | + * access these but with each of these separately. | |
56 | + * So at least this can't be accomplished only with | |
57 | + * roles or else a role has to be created for every | |
58 | + * resource. | |
59 | + * OK, lets think about some roles: | |
60 | + * - owner (for each resorce ... this will enable us | |
61 | + * to share ownership.) | |
62 | + * - viewer (for each resource ... these might only | |
63 | + * see the resource.) | |
64 | + * - projectmember (for each project resource) | |
65 | + * - teamlead (might have special rights for some projects | |
66 | + * and be able to see what each projectmember | |
67 | + * can see) | |
68 | + * - projectowner (well ... this might be owner of | |
69 | + * a project resource) | |
70 | + * - projectadmin (being able to change parts of the project | |
71 | + * but can't see everything...) | |
72 | + * | |
73 | + * I think I do not need an index here...because these are only | |
74 | + * used to setup a permission set within the user session...so | |
75 | + * these are simply added to this set..... | |
76 | + * With the users it is a different story...in fact i don't think | |
77 | + * that this relation should be stored here...this is an extra | |
78 | + * relation which is indexed by the usr name and credential and | |
79 | + * holds an array of roles he is in...on the other hand...if | |
80 | + * a role changes we need a fast way to get all users to update | |
81 | + * their permissions if they are online... | |
82 | + * | |
83 | + * New thoughts, a resource might be either a URL or a userid. | |
84 | + * When it is a userid the configured rights are valid for all | |
85 | + * resources owned by that user. | |
86 | + * Each grouped resource has less precedence than a specific | |
87 | + * one. That means, access rights can be removed for single | |
88 | + * resources after they have been added via a grouped resource. | |
89 | + * By default each user is assigned a role that allows him to | |
90 | + * do everything with every resource she/he has created. | |
91 | + * This role is also named after the user id. | |
44 | 92 | */ |
45 | - Hash permissions; | |
46 | - Hash users; | |
93 | + Permission * permissions; | |
94 | + size_t npermissions; | |
95 | + | |
96 | + User * users; | |
97 | + Hash users_idx; | |
47 | 98 | }; |
48 | 99 | |
49 | 100 | #endif // __ROLE_H__ | ... | ... |
Please
register
or
login
to post a comment