> On Aug 2, 2022, at 11:08 AM, Emmanuel Lécharny <[email protected]> wrote: > > Hi Shawn, some question regarding page 4.2 - Check access: > > wondering if it wouldn't be easier to extend the AccessMgr.checkAccess method > to take more parameters, like : > > boolean result = accessMgr.checkAccess( session, objectName, > operationName ); > > The Permission object you have to create is a bit of a useless burden: the > user knows which object he wants to operate on, and which operation it wants > to apply.
Agreed. There are quite a few other methods that are like this on the other interfaces. But, this is low-hanging fruit. It’s only one method and perhaps the most used. > > Also why don't we pass the session as a parameter on this call: > > AccessMgr accessMgr = AccessMgrFactory.createInstance(session); > > instead of > > AccessMgr accessMgr = AccessMgrFactory.createInstance(); > > wdyt? Assuming the benefit here is passing the user’s session makes it so that it doesn’t have to be passed in as an argument on the methods. It’s a good idea. Interestingly, a variation of this approach is present on the class’s super: https://nightlies.apache.org/directory/fortress/2.0.8/apidocs/org/apache/directory/fortress/core/Manageable.html#setAdmin(org.apache.directory.fortress.core.model.Session) Only here we’re passing the ‘admin' session, used for administrative permission checks. A setUser(Session session) method could be added. Or, as you suggest, a new constructor. Either way, it’s a bit of work although low risk and low complexity. But, several methods would have to be duplicated: add/dropActiveRole, authorizedRoles, checkAccess, sessionRoles, sessionPermissions I’m not opposed to the idea. All of this is a byproduct of the ANSI RBAC specs. Perhaps it's time to create new interfaces that are inline with current programming practices. Thanks for the suggestions Emmanuel. I’ll go ahead and add the new checkAccess, passing in Strings instead of objects. The other suggestion needs more thought. Interested in what others have to say here as well. — Shawn --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
