Hi,
Is it possible to "query" what permissions an "entity" has prior to them trying to make a change or addition? In context, I'm writing an app that has different levels of editing based on who you are / what groups you're in etc.
From majority of examples I've seen this seems to be a try fail sort
of thing, try to edit, if it fails you report the error (usually no permissions). It would be really handy to turn that around and query the server first and give an interface to the user which only has parts they can edit as editable - I could code in which groups have access etc but then if I add extra groups to the ACL I'll need to change code ... simply trying to modify every attribute then catching / reporting failures or using this to work out what they can edit just feels dirty and surely isn't very efficient - is there an alternative?
TIA Shane.
<quote who="Shane">
Hi,
Is it possible to "query" what permissions an "entity" has prior to them trying to make a change or addition? In context, I'm writing an app that has different levels of editing based on who you are / what groups you're in etc.
From majority of examples I've seen this seems to be a try fail sort
of thing, try to edit, if it fails you report the error (usually no permissions). It would be really handy to turn that around and query the server first and give an interface to the user which only has parts they can edit as editable - I could code in which groups have access etc but then if I add extra groups to the ACL I'll need to change code ... simply trying to modify every attribute then catching / reporting failures or using this to work out what they can edit just feels dirty and surely isn't very efficient - is there an alternative?
TIA Shane.
This is more of an LDAP usage question, rather than about OpenLDAP software.
You'd be better served by pinging:
http://www.umich.edu/~dirsvcs/ldap/mailinglist.html
Why not use roles/groups?
As for "I could code in which groups have access etc but then if I add extra groups to the ACL I'll need to change code", this is just bad coding ;-)
Have your code send a query for groups that are allowed to do things i.e. another entry with for an action/ACL, with groups as attributes that can perform these actions. Then do another query to check the users are in that group. Or do some & searches etc.
Please shout all if I'm talking rubbish ;-)
Thanks.
Shane wrote:
Is it possible to "query" what permissions an "entity" has prior to them trying to make a change or addition?
Well, you can send an update operation with the noop (No Operation) control attached. Then the server will not perform the operation, but it'll (try to) tell you if you have access to perform it. Some backends support it, some don't.
However the result doesn't necesarily tell you if you'd have access to perform some slightly different operation, so you have to treat the result as a hint. It depends on the access controls in the server, which can be quite complex.
Shane wrote:
Hi,
Is it possible to "query" what permissions an "entity" has prior to them trying to make a change or addition? In context, I'm writing an app that has different levels of editing based on who you are / what groups you're in etc.
From majority of examples I've seen this seems to be a try fail sort
of thing, try to edit, if it fails you report the error (usually no permissions). It would be really handy to turn that around and query the server first and give an interface to the user which only has parts they can edit as editable - I could code in which groups have access etc but then if I add extra groups to the ACL I'll need to change code ... simply trying to modify every attribute then catching / reporting failures or using this to work out what they can edit just feels dirty and surely isn't very efficient - is there an alternative?
The short answer is: no
The long(er) answer is: there's no way besides trying what modification you desire (possibly, with the no-op control, <draft-zeilenga-ldap-noop>)
A workaround is: you can get a guess, which is not a guarantee but should eb considered a hint and, as such, suitable to "grey out fields in a GUI", by using the "allowed" overlay, http://www.openldap.org/its/?findid=4730.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-software@openldap.org
-
Gavin Henry -
Hallvard B Furuseth -
Pierangelo Masarati -
Shane