[TYPO3-50-general] FLOW3 ACL/Policy syntax discussion

[Sebastian Kurfürst]

Hi everybody,

sorry for being so quite in this important discussion :-) I have now  
read through all the proposals and while reading through Andi's  
initial proposal, I had the same feeling like Robert, namely that the  
privileges can be either ("do not allow" or "do allow" or maybe "keep  
as is"), and the rest can be done with predefined resources.

> Speaking of roles: I suggest to not make them all uppercase because
> that means "constant" which is not true in this case. As far as I
> understand it, there can be any number of self defined roles, right?
+1

> I'm not really sure about the privileges: ACCESS_GRANT etc. are all
> built-in. Is there a manageable number of privileges?
IMHO ACCESS_GRANT and ACCESS_DENY should be enough, no?

> acls:
>    Administrator:
>      deleteMethods: ADD_GRANT
>
> I could imagine that we implement the READ, WRITE, UPDATE ... cases by
> some predefined
> resources:
> and the privileges are boiled down into GRANT and DENY (maybe we need
> some BARGAIN privilege?).
So, do I see it correctly that you would only want 2 or 3 privileges?  
That was my idea as well.

>
>> Restrict method executions based on method parameters:
>>
>> deleteMethods:  ACCESS_DENY($param.check > 10)
>> //execution is only allowed, if method parameter "check" is greater
>> than 10.
>
I would feel it should ba ACCESS_GRANT($param.check > 10), as denial  
should be implicit if nothing is said. Or did I misunderstand the  
concept completely? :-)

>      MyApp.generalStuff.deleteMethods: DENYIF(parameters.check > 10
> && parameters.foo == 'bar')
It should be GRANT_IF, no?

> If we have predefined resources, grouping privileges doesn't make
> sense anymore, do they? In fact the whole "privileges:" section would
> be needless.
+1


Greets,
Sebastian
PS: Thanks again for your great proposal!