2009-05-20T00:00:05 <ThomasWaldmann> "create" capability?
2009-05-20T00:00:19 <dennda> as our next agenda point?
2009-05-20T00:01:04 <ThomasWaldmann> it is also related to rename
2009-05-20T00:01:45 <dennda> why do you think a special create capability is needed?
2009-05-20T00:01:52 <dennda> sounds too much like write for me
2009-05-20T00:02:38 <ThomasWaldmann> editing something existing is a bit different from creating a new item
2009-05-20T00:02:53 <ThomasWaldmann> see unix :)
2009-05-20T00:03:27 <dennda> what's the actual difference in our case?
2009-05-20T00:04:29 <ThomasWaldmann> that some users maybe are allowed to edit, but not to create new stuff?
2009-05-20T00:05:28 <ThomasWaldmann> (that would make rename check: may write src, may create target, may write target)
2009-05-20T00:05:31 <dennda> well yeah
2009-05-20T00:05:33 <dreimark> gn
2009-05-20T00:05:46 <dennda> if we want that, that'd require yet another privilege
2009-05-20T00:06:20 <ThomasWaldmann> rename wouldn't need own capability then, as it just checks write and create
2009-05-20T00:06:26 <dennda> creating a target without being able to write to it sounds strange
2009-05-20T00:07:23 <ThomasWaldmann> one needs to give some capabilities together
2009-05-20T00:07:35 <ThomasWaldmann> write also does not make much sense without read
2009-05-20T00:08:39 <ThomasWaldmann> hmm
2009-05-20T00:09:23 <ThomasWaldmann> rename is different
2009-05-20T00:09:54 <ThomasWaldmann> it somehow behaves like nuke src, create and write target
2009-05-20T00:10:35 <ThomasWaldmann> but one does not want to give someone:nuke,create,write so that he is able to rename
2009-05-20T00:10:55 <dennda> why not pass rename down to the storage api?
2009-05-20T00:11:55 <ThomasWaldmann> its not the question where it is done, but what capability we want to check
2009-05-20T00:12:10 <dennda> not quite
2009-05-20T00:12:16 <dennda> because then you don't need to nuke anything
2009-05-20T00:12:31 <ThomasWaldmann> of course there can only be a "rename" capability, if storage api can see a rename happening
2009-05-20T00:12:34 <dennda> the item is just really renamed
2009-05-20T00:13:52 <dennda> i'm tired, let's please come to an end for today
2009-05-20T00:14:15 <ThomasWaldmann> ok, we'll sleep a night over it. please update the page tomorrow with what we have.
2009-05-20T00:14:32 <dennda> jup
2009-05-20T00:14:35 <dennda> gn
2009-05-20T05:42:54 *** aigarius has joined #moin-dev
2009-05-20T07:18:51 *** aigarius has quit IRC
2009-05-20T08:48:02 <dreimark> moin
2009-05-20T09:12:10 <ThomasWaldmann> moin
2009-05-20T09:17:42 <dimazest> moin
2009-05-20T09:33:01 *** devilsadvocate_ has quit IRC
2009-05-20T14:43:35 *** devilsadvocate has joined #moin-dev
2009-05-20T16:12:40 <dreimark> dimazest: please rename Groups2009TestResults to a subpage of Groups2009
2009-05-20T16:12:53 <dimazest> ok
2009-05-20T16:13:18 <dreimark> you can add <<Navigation(children)>> to the main page
2009-05-20T16:13:37 <dreimark> same for the other page
2009-05-20T16:14:46 <dreimark> editorsGroup is only an editor Grop if the acls tell that
2009-05-20T16:15:08 <dreimark> there is no convention for group named editorsGroup
2009-05-20T16:15:21 <ThomasWaldmann> dennda: btw, I am likely unavailable this evening, so if you need more acl input, we should discuss before 1900
2009-05-20T16:15:48 <dreimark> dimazest: "have default postfix Group" is defined by the regex which is for en this default
2009-05-20T16:20:11 <dreimark> dimazest: the parser gets only first level items into the groups dictionary
2009-05-20T16:20:37 <dreimark> and if Food should be a Grop page it has to match the regex too
2009-05-20T16:22:29 <dimazest> yes, but there i'm not talking about Group Pages
2009-05-20T16:22:40 <dimazest> i'm talking in general, for any backend
2009-05-20T16:23:36 <dreimark> any backend has to have a rule what is group and what is a memeber
2009-05-20T16:23:43 <dreimark> (item)
2009-05-20T16:25:11 <dreimark> the current example looks like it is based on the rule to end with Group
2009-05-20T16:26:03 <dreimark> set will always return uniq items only
2009-05-20T16:27:04 <dimazest> but it can be done differently, for Pages it is regex
2009-05-20T16:27:17 <dreimark> I think we will need at least a log message when different backends do have name clashes
2009-05-20T16:27:27 <dimazest> but in the database groups and members can be stored in different tables
2009-05-20T16:27:40 <dreimark> phonecall
2009-05-20T16:29:06 <dreimark> re
2009-05-20T16:29:23 <dimazest> and i'm not sure that BaseGroupManager is dictionary which maps group name to the group object
2009-05-20T16:29:51 <dreimark> may be add a few more lines description to the example
2009-05-20T16:29:54 <dimazest> because if group object stores name inside
2009-05-20T16:30:15 <dimazest> then we can map 'SomeGroup' to group which name is 'OtherGroup'
2009-05-20T16:31:06 <dimazest> but, if BaseGroupManager is a set, it is not clear for me what should be hash function for group objects
2009-05-20T16:31:37 <dimazest> dreimark: example of Food and Vegetables?
2009-05-20T16:31:45 <dreimark> yes
2009-05-20T16:38:11 <dreimark> dimazest: the items are a set
2009-05-20T16:38:55 <dimazest> BaseGroup is a set of items (unicode strings)
2009-05-20T16:39:54 <dimazest> but is it an issue if the same group is defined in several backends?
2009-05-20T16:40:34 <dreimark> e.g. from the config_group
2009-05-20T16:40:36 <dreimark> groups = {u'FirstGroup': set([u"ExampleUser", u"SecondUser", u"JoeDoe", ]),
2009-05-20T16:40:43 <dreimark> u'SecondGroup': set([u"ExampleUser", u"ThirdUser", ]),
2009-05-20T16:40:48 <dreimark> }
2009-05-20T16:41:42 <dreimark> dimazest: for auth it is solved that way that the first auth which is working wins
2009-05-20T16:42:32 <dreimark> there is also the problem of differnt people assigned to different accounts or same account
2009-05-20T16:42:53 <dimazest> dreimark: yes, example is correct
2009-05-20T16:46:15 <dreimark> the issue with same group is that you have to decide what to do.
2009-05-20T16:46:30 <dreimark> a) dropping the second
2009-05-20T16:46:37 <dreimark> b) merging the users
2009-05-20T16:47:13 <dreimark> c) ignoring the group and crying
2009-05-20T16:47:39 <dreimark> may be that wants to be configurable
2009-05-20T16:48:18 <dimazest> i was thinking for kind of merging
2009-05-20T16:48:57 <dimazest> when one asks, give me all members of group 'SomeGroup' we check every backend
2009-05-20T16:49:18 <dimazest> collect items, and return
2009-05-20T16:49:37 <dreimark> can work for config and wiki backend
2009-05-20T16:49:47 <dreimark> does not for ldap
2009-05-20T16:51:00 <dreimark> how do you solve the problem to make the mapping of a group which has differnt definitions
2009-05-20T16:51:17 <dreimark> while in the wikiconfig or on a page an acl is given to
2009-05-20T16:51:33 <dreimark> MyGroup:read,write
2009-05-20T16:52:47 <dreimark> you need somewhere to set MyGroup in the wiki is meant as XYZ in the other backend
2009-05-20T16:53:34 <dimazest> backends can define it in a different way
2009-05-20T16:53:59 <dimazest> the isiest solution is to MyGroup <-> MyGroup
2009-05-20T16:54:39 <dimazest> or, when we add group named One to the WikiPageBackend
2009-05-20T16:54:52 <dimazest> it is stored as OneGroup
2009-05-20T16:55:06 <dreimark> someone will use existing group definition which don't follow moins rules
2009-05-20T16:55:29 <dimazest> so, so he could define postfix Group
2009-05-20T16:56:06 <dimazest> but i think mapping should be MyGroup<->Mygroup
2009-05-20T16:56:31 <dimazest> if someone uses set up which does not follow Moin rules
2009-05-20T16:56:39 <dimazest> then he must write in acl
2009-05-20T16:56:52 <dimazest> Admins:read,write
2009-05-20T16:56:54 <dreimark> the problem is big companies do have already group definitions
2009-05-20T16:57:02 <dreimark> they just want to use them
2009-05-20T16:57:09 <dimazest> here group is called Admins
2009-05-20T16:57:35 <dimazest> is it possible to define such acl?
2009-05-20T16:57:43 <dreimark> currently with moins code that would not fit the regex and would be interpreted as user
2009-05-20T16:59:00 <dimazest> and this is done in the acl related code?
2009-05-20T16:59:37 <dimazest> then instead of regex something else must be used
2009-05-20T17:00:03 <dimazest> something like GroupDict.hasgroup(groupname)
2009-05-20T17:02:19 <dreimark> add this to your concept and think a bit more on that
2009-05-20T17:03:00 <dreimark> what else need to be changed etc.
2009-05-20T17:06:03 <dreimark> and about the mapping of groups from different backends.
2009-05-20T17:08:39 <dimazest> ok
2009-05-20T17:34:11 <dreimark> bbl
2009-05-20T17:40:36 <ThomasWaldmann> dimazest: I am not sure whether group merging from different backends wouldn't be overkill
2009-05-20T17:41:05 <ThomasWaldmann> usually a specific group should be defined at one place, not at multiple places
2009-05-20T17:41:27 <ThomasWaldmann> so a first-match approach seems to be enough to handle that
2009-05-20T17:42:20 <ThomasWaldmann> dimazest: and please: get away from that GroupDict / DictDict stuff
2009-05-20T17:44:00 <ThomasWaldmann> (I mean the method/class names)
2009-05-20T17:48:12 <dimazest> ThomasWaldmann: i used GroupDict, DictDict to understand needed functionality
2009-05-20T17:53:23 <ThomasWaldmann> we don't need much :)
2009-05-20T17:53:41 <ThomasWaldmann> groups and membership check mostly
2009-05-20T17:54:28 <ThomasWaldmann> and the membership check should NOT work like "get all group members list" and then check "x in memberlist"
2009-05-20T17:54:56 <ThomasWaldmann> (just imagine a ldap directory with 100.000 users ...)
2009-05-20T17:55:24 <ThomasWaldmann> there should be a member list function, but it should be used very carefully
2009-05-20T17:56:28 <dimazest> good point
2009-05-20T17:57:01 <dimazest> by the way, now there are different Group managers
2009-05-20T17:57:15 <dimazest> which deal with one backend
2009-05-20T17:57:37 <dimazest> e.g. ConfigGroupManager, WikiPagesGroupManager and so on
2009-05-20T17:58:38 <dimazest> do we need some higher level manager which deals with different backends, which means with ConfigGroupManager, WikiPagesGroupManager...
2009-05-20T17:58:51 <dimazest> so we can ask him if someone is in group
2009-05-20T17:59:01 <dimazest> and he checks backends in some order
2009-05-20T17:59:14 <dimazest> desides is it first mach order or something else an so on
2009-05-20T17:59:38 <dimazest> so other moin code will work with him
2009-05-20T18:13:48 <ThomasWaldmann> didn't we solve that already last year?
2009-05-20T18:14:35 <ThomasWaldmann> that like is some function getting a request object and a configured list of GroupManager items
2009-05-20T18:14:42 <ThomasWaldmann> +ly
2009-05-20T18:14:42 <dimazest> i need to look it up
2009-05-20T18:16:38 <dimazest> is it in mmihajleic repo?
2009-05-20T18:19:25 <ThomasWaldmann> yes
2009-05-20T18:23:20 <dimazest> ok i'll check it more carefully
2009-05-20T18:33:23 <dennda> ThomasWaldmann: what do you think the aclwrapperbackend you put together there is lacking? (sorry for the poor connection atm)
2009-05-20T18:33:55 <dennda> i just looked at it more closely and it looked the same way i'd have done it
2009-05-20T18:37:01 <ThomasWaldmann> maybe try executing it, it is more an idea than working code
2009-05-20T18:39:41 <dennda> yeah i'll fix a few minor things and inject it onto the request
2009-05-20T18:43:32 <dennda> ThomasWaldmann: did you see my changes to the acl page? maybe just proof-read it in case i forgot sth
2009-05-20T18:45:10 <ThomasWaldmann> admin :)
2009-05-20T18:45:40 <dennda> did we discuss that? or should i figure that out myself?
2009-05-20T18:46:23 <ThomasWaldmann> well, if you do it like in the past, it is not that hard
2009-05-20T18:46:38 <dennda> i guess admin is admin
2009-05-20T18:46:43 <ThomasWaldmann> but it wasn't trouble-free, so some more thoughts would be nice
2009-05-20T18:47:34 <ThomasWaldmann> the biggest trouble was that you could not have template pages with ACLs on them, because using them required admin capability
2009-05-20T18:47:44 <ThomasWaldmann> and most users don't have that
2009-05-20T18:48:21 <ThomasWaldmann> in the "collection" section are still some open questions / things
2009-05-20T18:49:47 <dennda> 'using' == manipulating the template's acl?
2009-05-20T18:53:51 <ThomasWaldmann> creating a new page based on template
2009-05-20T18:54:56 <ThomasWaldmann> but maybe we just want to solve that differently, like 1. create new page from latest template revision using system priviledges, 2. giving it to the user into editor
2009-05-20T19:09:27 *** grzywacz has joined #moin-dev
2009-05-20T19:11:12 <dennda> isn't that just copying?
2009-05-20T19:11:35 <dennda> template->new page, edit new page
2009-05-20T19:19:32 <dennda> ThomasWaldmann: guess you're gone, just pinging you so you don't miss this when you come back. off now myself
2009-05-20T20:45:37 <ThomasWaldmann> re
MoinMoin: MoinMoinChat/Logs/moin-dev/2009-05-20 (last edited 2009-05-19 22:15:02 by IrcLogImporter)