[Yanel-dev] Policies: bug or feature?
Michael Wechner
michael.wechner at wyona.com
Fri Aug 6 00:43:41 CEST 2010
Claudio Corrodi wrote:
> Hi
>
> Today I was testing an application's policies where at some point I
> had the following config:
>
> <usecase id="full">
> <world permission="true"/>
> </usecase>
>
> I wanted to turn on and off access for the user "bob", so I introduced
> the line:
> <user id="bob" permission="false"/>
>
> I noticed that it depends where this line is inserted whether bob is
> authorized or not. If I put the line before the <world> tag, then bob
> isn't authorized. But if I put it after the <world> tag, the policy
> manager's "authorize" function returns true.
>
> So it seems that the first line which matches the user is returned. Is
> this the intended behaviour?
yes, the order does matter, whereas this depends on the PolicyManager
implementation and is not
part of the API
> Another possibility would be to use the most restrictive or the most
> open policy that matches the user.
>
> What do you think?
I think the main question is should we somehow make this part of the API?
Cheers
Michael
>
> Regards, Claudio
More information about the Yanel-development
mailing list