opensourceprojects.eu / osp-allura / Diff of /Allura/docs/guides/permissions.rst

Diff of /Allura/docs/guides/permissions.rst [3abb2e] .. [75e0f3]

Switch to unified view


...

In the allura system `users` can be assigned to various `groups` or 
roles on a per-project basis.

Users can be members of many groups, and both `users` and `groups` can 
be assigned a list of `permissions` like `add_subproject`, 
`commit_to_master` or `admin_users`.   Tools can define their own
set of permissions, for their artifacts.   Tools are encouraged to
prefix their permissions with the tool name, so for a tool called
"tracker" a good permission name would be `tracker_edit_ticket`.

Individual artifacts and ACL's 
---------------------------------------------------------------------

There are also likely to be some permissions that you want to assign
to particular people or roles for a particular `Artifact` such as 
a particular bug in the ticket tracker.   PyForge supports this via
an ACL field on every `Artifact` instance. 

Permission hierarchy
--------------------------------------------------------------------

Projects and subprojects can define user groups, but for any particular
subproject the set of groups the user belongs to is additive.  This follows
the basic principle that sub-project permissions and artifact permissions
can *allow* additional access, but can't *restrict* it beyond 
what permissions are allowed by a higher level project. 

Permission predicates
---------------------------------------------------------------------

Predicates are simple functions, several of which are defined in PyForge 
itself, and which can be added by any tool, which return true if
permission is granted, and false if it is not. 

An example predicate function `has_project_access` takes two params, an object
and a `permission` string.  It then checks to see if the current user 
(picked up from the environment) has permission to perform that action on 
that object, following the rules above. 




	a/Allura/docs/guides/permissions.rst		b/Allura/docs/guides/permissions.rst
	...		...
6		6
7	In the allura system `users` can be assigned to various `groups` or	7	In the allura system `users` can be assigned to various `groups` or
8	roles on a per-project basis.	8	roles on a per-project basis.
9		9
10	Users can be members of many groups, and both `users` and `groups` can	10	Users can be members of many groups, and both `users` and `groups` can
11	be assigned a list of `permissions` like `"add_subproject"`,	11	be assigned a list of `permissions` like `add_subproject`,
12	`"commit_to_master"`or "admin_users". Tools can define their own	12	`commit_to_master` or `admin_users`. Tools can define their own
13	set of permissions, for their artifacts. Tools are encouraged to	13	set of permissions, for their artifacts. Tools are encouraged to
14	prefix their permissions with the tool name so for a tool called	14	prefix their permissions with the tool name, so for a tool called
15	"tracker" a good permission name would be `"tracker_edit_ticket"`	15	"tracker" a good permission name would be `tracker_edit_ticket`.
16		16
17	Artifacts and ACL's	17	Individual artifacts and ACL's
18	---------------------------------------------------------------------	18	---------------------------------------------------------------------
19		19
20	There are also likely to be some permissions that you want to assign	20	There are also likely to be some permissions that you want to assign
21	to particular people or roles for a particular `Artifact` such as	21	to particular people or roles for a particular `Artifact` such as
22	a particular bug in the ticket tracker. PyForge supports this via	22	a particular bug in the ticket tracker. PyForge supports this via
23	an acl field on every `Artifact` instance.	23	an ACL field on every `Artifact` instance.
24		24
25	Permission calculation	25	Permission hierarchy
26	--------------------------------------------------------------------	26	--------------------------------------------------------------------
27		27
28	Projects and subprojects can define user `groups`, but for any particular	28	Projects and subprojects can define user groups, but for any particular
29	subproject the groups the user belongs too is additive. This follows	29	subproject the set of groups the user belongs to is additive. This follows
30	the basic principle that sub-project permissions and artifact permissions	30	the basic principle that sub-project permissions and artifact permissions
31	can allow additional access, but can't restrict it beyond	31	can allow additional access, but can't restrict it beyond
32	what permissions are allowed by a higher level project.	32	what permissions are allowed by a higher level project.
33		33
34	The magic of predicates	34	Permission predicates
35	---------------------------------------------------------------------	35	---------------------------------------------------------------------
36		36
37	Predicates are simple functions, several of which are defined in PyForge	37	Predicates are simple functions, several of which are defined in PyForge
38	itself, and which can be added by any tool, which return `true` if	38	itself, and which can be added by any tool, which return true if
39	permission is granted, and false if it is not.	39	permission is granted, and false if it is not.
40		40
41	An example predicate function `has_project_access` takes two params, an object	41	An example predicate function `has_project_access` takes two params, an object
42	and an `permission` string. It then checks to see if the current user	42	and a `permission` string. It then checks to see if the current user
43	(picked up from the environment) has permission to perform that action on	43	(picked up from the environment) has permission to perform that action on
44	that object, following the above rules.	44	that object, following the rules above.
45		45
46		46
47		47