Document toolboxDocument toolbox

Inheritance of Authorization

Owned by Bruce Hoff
Last updated: May 10, 2011Version comment
1 min read

Inheritance of Authorization

BackgroundThe system may either specify a node's access control list explicitly or the node may inherint its permission from an ancestor.

To make authorization efficient, each node has a permissions "benefactor" reference, which is a pointer the ancestor node have access control specified. This allows us to avoid "walking" the node hierarchy tree with every authorization check.

Classes/method

AuthorizationManager

- overrideInheritance(id): (1) clone permissions of the current benefactor (via UserGroupDAO); (2) change inheritance reference of 'id' and all of 'id's descendents to be id (via NodeInheritanceManager.setInherits(false, id)).

- restoreInheristance(id): (1) Change benefactor reference of 'id' and all 'id's descendents to be the benefactor reference of 'id's parent (via NodeInheritanceManager.setInherits(true, id)). (2) remove the explicit permissions for 'id'.

NodeManager

- setParent()

NodeInheritanceManager

- parentChanged(id)

- setInherits(boolean b, id)

if b==true: change inheritance reference of 'id' and all of 'id's descendents to be id

if b==false: Change benefactor reference of 'id' and all 'id's descendents to be the benefactor reference of 'id's parent