Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Bricolage: devel

question about recalling stories

  

 
Bricolage devel RSS feed   Index | Next | Previous | View Threaded


D-Beaudet at NGA

Nov 19, 2008, 6:16 PM

Post #1 of 10 (2100 views)
Permalink
question about recalling stories
I've got a fairly hacked version of Bric 10.2 , so I don't know if this
is something I introduced or not to my own system, but if a user doesn't
have access to a start desk, but does have access to subsequent desks
and access to recall a particular story, shouldn't the story get placed
on the first desk they have edit permissions on? Right now, the story
goes on the start desk, but then the user cannot edit it. This could
very well be a result of some hacks I've done to enforce desk
permissions which I describe as follows, and now that I read it, is
probably the case. Assuming I eventually commit the change and
associated config directive, the question is still relevant though. If
a user has access to desks further up in a workflow, their "start desk"
might very well be different from somebody else's in that we don't want
to recall a story to a desk that has insufficient permissions for the
person recalling the story to edit the story.



# Workflow desk permission enforcement. By default, a
non-administrative user's

# permissions on an asset are determined by taking the highest
permission available on

# any permissionable aspect of the asset (category, element type, etc.),

# including permissions on the assets current desk within a workflow. A
side

# effect of this highly trusting and collaborative approach is that a
user can

# search for and edit an asset with the "Find" feature even though the
user has

# no permission to the asset's current desk. Some customers might prefer
to enforce

# the workflow permissions separately from asset permissions, thereby
taking the

# LESSER of the highest permission allowed by the asset and the highest

# permission allowed by the desk in the asset's current workflow. This
provides an

# effective way to 'protect' an asset once it reaches a certain desk.

# To enable this feature, set this directive to "Yes", "On", or "1".


david at kineticode

Nov 19, 2008, 9:24 PM

Post #2 of 10 (2005 views)
Permalink
Re: question about recalling stories [In reply to]
On Nov 19, 2008, at 6:16 PM, Beaudet, David wrote:

> I've got a fairly hacked version of Bric 10.2 , so I don't know if
> this
> is something I introduced or not to my own system, but if a user
> doesn't
> have access to a start desk, but does have access to subsequent desks
> and access to recall a particular story, shouldn't the story get
> placed
> on the first desk they have edit permissions on?

Maybe. But it's not designed that way.

> Right now, the story
> goes on the start desk, but then the user cannot edit it. This could
> very well be a result of some hacks I've done to enforce desk
> permissions which I describe as follows, and now that I read it, is
> probably the case.

Maybe. But assets are alway put on the start desk when users create or
recall them.

> Assuming I eventually commit the change and
> associated config directive, the question is still relevant though.
> If
> a user has access to desks further up in a workflow, their "start
> desk"
> might very well be different from somebody else's in that we don't
> want
> to recall a story to a desk that has insufficient permissions for the
> person recalling the story to edit the story.

Yes, that's right. The current design, where all things go on the
start desk when they enter a workflow, predates the addition of the
RECALL permission. So it may very well need re-evaluating. As it is,
however, one cannot recall a story into a workflow unless one has
RECALL permission to the start desk. I mean, I think you can give a
user RECALL permission to a category of documents, for example, but
they can't recall any of those documents into a workflow where they
don't have at least READ access to the start desk.

> # Workflow desk permission enforcement. By default, a
> non-administrative user's
>
> # permissions on an asset are determined by taking the highest
> permission available on
>
> # any permissionable aspect of the asset (category, element type,
> etc.),
>
> # including permissions on the assets current desk within a
> workflow. A
> side
>
> # effect of this highly trusting and collaborative approach is that a
> user can
>
> # search for and edit an asset with the "Find" feature even though the
> user has
>
> # no permission to the asset's current desk.

Say what? You can't edit a document if you can't pull it into workflow.

> Some customers might prefer
> to enforce
>
> # the workflow permissions separately from asset permissions, thereby
> taking the
>
> # LESSER of the highest permission allowed by the asset and the
> highest
>
> # permission allowed by the desk in the asset's current workflow.
> This
> provides an
>
> # effective way to 'protect' an asset once it reaches a certain desk.
>
> # To enable this feature, set this directive to "Yes", "On", or "1".

That sounds like a cute hack, but stands to make permissions even more
confusing than they already are. I'm not sure if that's a good thing…

Best,

David


D-Beaudet at NGA

Nov 20, 2008, 6:47 AM

Post #3 of 10 (2024 views)
Permalink
RE: question about recalling stories [In reply to]
> > Right now, the story
> > goes on the start desk, but then the user cannot edit it. This
could
> > very well be a result of some hacks I've done to enforce desk
> > permissions which I describe as follows, and now that I read it, is
> > probably the case.
>
> Maybe. But assets are alway put on the start desk when users create or
> recall them.

I guess another solution would be to allow the story to be moved from a
desk even if it cannot be edited on that desk. That way, a user could
move the story to a desk they have editing privs on, but that seems
laborious. Probably better to just create or recall to the first desk
they have edit or greater privs on.

Can you envision any serious consequences of creating or recalling to a
desk other than the start desk?

> > Assuming I eventually commit the change and
> > associated config directive, the question is still relevant though.
> > If
> > a user has access to desks further up in a workflow, their "start
> > desk"
> > might very well be different from somebody else's in that we don't
> > want
> > to recall a story to a desk that has insufficient permissions for
the
> > person recalling the story to edit the story.
>
> Yes, that's right. The current design, where all things go on the
> start desk when they enter a workflow, predates the addition of the
> RECALL permission. So it may very well need re-evaluating. As it is,
> however, one cannot recall a story into a workflow unless one has
> RECALL permission to the start desk. I mean, I think you can give a
> user RECALL permission to a category of documents, for example, but
> they can't recall any of those documents into a workflow where they
> don't have at least READ access to the start desk.
>
> > # Workflow desk permission enforcement. By default, a
> > non-administrative user's
> >
> > # permissions on an asset are determined by taking the highest
> > permission available on
> >
> > # any permissionable aspect of the asset (category, element type,
> > etc.),
> >
> > # including permissions on the assets current desk within a
> > workflow. A
> > side
> >
> > # effect of this highly trusting and collaborative approach is that
a
> > user can
> >
> > # search for and edit an asset with the "Find" feature even though
the
> > user has
> >
> > # no permission to the asset's current desk.
>
> Say what? You can't edit a document if you can't pull it into
workflow.

I believe my rationale for making this change was that under the current
permissions model, if user A has permission to check out a story from
Category 1 and pulls it onto a desk, and user B has edit privs on that
desk, but does not have edit privs for stories in category 1, they are
still permitted to edit the story. It was either that, or vice versa,
where a user was permitted to recall any story in any category to a desk
on which they had edit privs. I'm going to investigate this a little
more and will let you know what I find / remember.


> > Some customers might prefer
> > to enforce
> >
> > # the workflow permissions separately from asset permissions,
thereby
> > taking the
> >
> > # LESSER of the highest permission allowed by the asset and the
> > highest
> >
> > # permission allowed by the desk in the asset's current workflow.
> > This
> > provides an
> >
> > # effective way to 'protect' an asset once it reaches a certain
desk.
> >
> > # To enable this feature, set this directive to "Yes", "On", or "1".
>
> That sounds like a cute hack, but stands to make permissions even more
> confusing than they already are. I'm not sure if that's a good
thing...

I'm not sure it makes it more confusing - it actually made it clearer to
me because I had to ensure that alls the stars were aligned for a user
to be able to do something. This also provided me with a much finer
grained control using the current set of permissions in the system.


david at kineticode

Nov 20, 2008, 9:53 AM

Post #4 of 10 (2003 views)
Permalink
Re: question about recalling stories [In reply to]
On Nov 20, 2008, at 6:47 AM, Beaudet, David wrote:

> I guess another solution would be to allow the story to be moved
> from a
> desk even if it cannot be edited on that desk. That way, a user could
> move the story to a desk they have editing privs on, but that seems
> laborious.

And would seem to defeat the security of READ.

> Probably better to just create or recall to the first desk
> they have edit or greater privs on.

I can see that. Can anyone anticipate any side-effects with that?
Offhand I can't think of any. Seems pretty reasonable.

> Can you envision any serious consequences of creating or recalling
> to a
> desk other than the start desk?

Not off the bat, no.

>> Say what? You can't edit a document if you can't pull it into
>> workflow.
>>
>
> I believe my rationale for making this change was that under the
> current
> permissions model, if user A has permission to check out a story from
> Category 1 and pulls it onto a desk, and user B has edit privs on that
> desk, but does not have edit privs for stories in category 1, they are
> still permitted to edit the story.

True.

> It was either that, or vice versa,
> where a user was permitted to recall any story in any category to a
> desk
> on which they had edit privs. I'm going to investigate this a little
> more and will let you know what I find / remember.

Great.

>> That sounds like a cute hack, but stands to make permissions even
>> more
>> confusing than they already are. I'm not sure if that's a good
>> thing...
>
> I'm not sure it makes it more confusing - it actually made it
> clearer to
> me because I had to ensure that alls the stars were aligned for a user
> to be able to do something. This also provided me with a much finer
> grained control using the current set of permissions in the system.


Yes, "finer grained" and "ensure that all the stars were aligned" eq
more complex.

Best,

David


D-Beaudet at NGA

Nov 20, 2008, 10:07 AM

Post #5 of 10 (2021 views)
Permalink
RE: question about recalling stories [In reply to]
> Yes, "finer grained" and "ensure that all the stars were aligned" eq
> more complex.

eq "less loosey goosey"

:)


david at kineticode

Nov 20, 2008, 10:13 AM

Post #6 of 10 (2014 views)
Permalink
Re: question about recalling stories [In reply to]
On Nov 20, 2008, at 10:07 AM, Beaudet, David wrote:

>> Yes, "finer grained" and "ensure that all the stars were aligned" eq
>> more complex.
>
> eq "less loosey goosey"

Perhaps. I'm not throwing out the idea, mind you, I'm just very
conscious of how complex permissions already are, and I want to
minimize the chances that we'll make them any *more* confusing.

But if we decided to get this in, too, when do you think you could
submit the patch?

BTW, everyone, I leave for six weeks in France on Sunday. I'll be in
Rouen in Normandie. I'll be working for $client again as of Dec 1, and
will be online through December, but only part time. But maybe this is
a good time to spend a day or two addressing bugs and looking at a
feature freeze for 2.0.

Thoughts? When should we Freeze? I'm thinking Maybe Dec 19th (my 40th
Birthday, ACK!).

Thanks,

David


D-Beaudet at NGA

Nov 20, 2008, 10:17 AM

Post #7 of 10 (2016 views)
Permalink
RE: question about recalling stories [In reply to]
> But if we decided to get this in, too, when do you think you could
> submit the patch?

I'll have to look at the involved code. I don't recall it being too
complex a change and I don't think it involves much GUI code. I'll try
to get one out for vetting.

> BTW, everyone, I leave for six weeks in France on Sunday. I'll be in
> Rouen in Normandie. I'll be working for $client again as of Dec 1, and
> will be online through December, but only part time. But maybe this is
> a good time to spend a day or two addressing bugs and looking at a
> feature freeze for 2.0.

Cool! I love French breakfast.

> Thoughts? When should we Freeze? I'm thinking Maybe Dec 19th (my 40th
> Birthday, ACK!).

Sounds good to me. Happy B-Day in advance! And remember that turning
40 means you have COMPLETED 40 years, not that you're starting on year
40... hehe.


david at kineticode

Nov 20, 2008, 10:47 AM

Post #8 of 10 (2038 views)
Permalink
Re: question about recalling stories [In reply to]
On Nov 20, 2008, at 10:17 AM, Beaudet, David wrote:

> I'll have to look at the involved code. I don't recall it being too
> complex a change and I don't think it involves much GUI code. I'll
> try
> to get one out for vetting.

Great, thanks.

>> BTW, everyone, I leave for six weeks in France on Sunday. I'll be in
>> Rouen in Normandie. I'll be working for $client again as of Dec 1,
>> and
>> will be online through December, but only part time. But maybe this
>> is
>> a good time to spend a day or two addressing bugs and looking at a
>> feature freeze for 2.0.
>
> Cool! I love French breakfast.

Brie and butter on baguettes for lunch.

>> Thoughts? When should we Freeze? I'm thinking Maybe Dec 19th (my 40th
>> Birthday, ACK!).
>
> Sounds good to me. Happy B-Day in advance! And remember that turning
> 40 means you have COMPLETED 40 years, not that you're starting on year
> 40... hehe.

Um, STFU.

:-D

D


phillip at communitybandwidth

Nov 21, 2008, 6:04 AM

Post #9 of 10 (2011 views)
Permalink
Re: question about recalling stories [In reply to]
On 20-Nov-08, at 1:13 PM, David E. Wheeler wrote:

> Thoughts? When should we Freeze? I'm thinking Maybe Dec 19th (my
> 40th Birthday, ACK!).

Where's the party?

--
Phillip Smith,
Simplifier of Technology
Community Bandwidth
http://www.communitybandwidth.ca


david at kineticode

Nov 21, 2008, 7:59 AM

Post #10 of 10 (2010 views)
Permalink
Re: question about recalling stories [In reply to]
On Nov 21, 2008, at 6:04 AM, Phillip Smith wrote:

>> Thoughts? When should we Freeze? I'm thinking Maybe Dec 19th (my
>> 40th Birthday, ACK!).
>
> Where's the party?

La France.

Best,

David

Bricolage devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.