Modify ↓
Opened 7 years ago
Last modified 4 years ago
#13014 new enhancement
Deprecate and remove IPermissionStore.get_users_with_permission
Reported by: | Ryan J Ollos | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | next-dev-1.7.x |
Component: | general | Version: | |
Severity: | normal | Keywords: | permissions |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
This is a follow-on to comment:15:ticket:12915.
The proposed changes are:
- Change
DefaultPermissionStore.get_user_permissions
so thatIPermissionGroupProviders
are not searched.PermissionSystem.get_user_permissions
will searchIPermissionGroupProvider
s.DefaultPermissionStore
will no longer have any knowledge ofIPermissionGroupProvider
s that it does not implement. - Deprecate
IPermissionStore.get_users_with_permissions
and remove it in 1.5.1.- The method was added in #4245.
- LdapPlugin is the only plugin on trac-hacks.org that implements
IPermissionStore
, and it has copied the implementation of DefaultPermissionStore.get_users_with_permissions. PermissionSystem.get_users_with_permission
can do the equivalent work for allIPermissionStore
s.
- Change
PermissionSystem.get_users_with_permission
so that it does not callIPermissionStore.get_users_with_permissions
.
Attachments (0)
Change History (10)
comment:1 by , 7 years ago
comment:2 by , 7 years ago
[52b42e0d/rjollos.git] proposes to make DefaultPermissionStore.get_user_permissions
unaware of other IPermissionGroupProvider
s.
- However,
DefaultPermissionStore.get_user_permissions
still returns actions for a user that are inherited fromDefaultPermissionStore
groups that the user is a member of. PermissionSystem.get_user_permissions
is responsible for determining group membership for groups defined by otherIPermissionGroupProvider
s.- The
IPermissionStore.get_user_permissions
interface is changed to require accepting a tuple of subjects (users and groups).
I've been debating a few points:
- I favor changing
DefaultPermissionStore
to be unaware of allIPermissionGroupProvider
s because that work is better done byPermissionSystem
and doesn't have to be repeated by everyIPermissionStore
implementation. TheIPermissionStore
s have a more narrow and well-defined role. However, if this change leads to too many complications, the proposed change should be dropped. - With that in mind, maybe
DefaultPermissionStore.get_user_permissions
should only return actions for the specified subjects and not includeDefaultPermissionStore
groups that the user is a member of. TheDefaultPermissionStore
groups would be discovered by the query inPermissionSystem.get_user_permissions
. The downside is that it results in two database queries, one to find the groups and one to find the actions for subjects. - Otherwise, we could explicitly document the rule. If the component implementing
IPermissionStore
defines groups through anIPermissionGroupProvider
implementation,get_user_permissions
should return actions inherited from those groups for all subjects.
comment:3 by , 6 years ago
Owner: | set to |
---|---|
Status: | new → assigned |
comment:4 by , 6 years ago
Milestone: | 1.3.4 → 1.5.1 |
---|
comment:5 by , 5 years ago
Milestone: | 1.5.1 → 1.5.3 |
---|
comment:6 by , 4 years ago
Milestone: | 1.5.3 → 1.7 |
---|
comment:8 by , 4 years ago
Milestone: | 1.7.1 |
---|---|
Owner: | removed |
Status: | assigned → new |
comment:9 by , 4 years ago
Milestone: | → 1.7.1 |
---|
comment:10 by , 4 years ago
Milestone: | 1.7.1 → next-dev-1.7.x |
---|
Note:
See TracTickets
for help on using tickets.
Changes in log:rjollos.git:t13014_remove_get_users_with_permission. Need to add more test coverage and check performance implications.