MoinMoinChat/Logs/moin-dev/2009-05-20

2009-05-20T00:00:05  <ThomasWaldmann> "create" capability?
2009-05-20T00:00:19  <dennda> as our next agenda point?
2009-05-20T00:01:04  <ThomasWaldmann> it is also related to rename
2009-05-20T00:01:45  <dennda> why do you think a special create capability is needed?
2009-05-20T00:01:52  <dennda> sounds too much like write for me
2009-05-20T00:02:38  <ThomasWaldmann> editing something existing is a bit different from creating a new item
2009-05-20T00:02:53  <ThomasWaldmann> see unix :)
2009-05-20T00:03:27  <dennda> what's the actual difference in our case?
2009-05-20T00:04:29  <ThomasWaldmann> that some users maybe are allowed to edit, but not to create new stuff?
2009-05-20T00:05:28  <ThomasWaldmann> (that would make rename check: may write src, may create target, may write target)
2009-05-20T00:05:31  <dennda> well yeah
2009-05-20T00:05:33  <dreimark> gn
2009-05-20T00:05:46  <dennda> if we want that, that'd require yet another privilege
2009-05-20T00:06:20  <ThomasWaldmann> rename wouldn't need own capability then, as it just checks write and create
2009-05-20T00:06:26  <dennda> creating a target without being able to write to it sounds strange
2009-05-20T00:07:23  <ThomasWaldmann> one needs to give some capabilities together
2009-05-20T00:07:35  <ThomasWaldmann> write also does not make much sense without read
2009-05-20T00:08:39  <ThomasWaldmann> hmm
2009-05-20T00:09:23  <ThomasWaldmann> rename is different
2009-05-20T00:09:54  <ThomasWaldmann> it somehow behaves like nuke src, create and write target
2009-05-20T00:10:35  <ThomasWaldmann> but one does not want to give someone:nuke,create,write so that he is able to rename
2009-05-20T00:10:55  <dennda> why not pass rename down to the storage api?
2009-05-20T00:11:55  <ThomasWaldmann> its not the question where it is done, but what capability we want to check
2009-05-20T00:12:10  <dennda> not quite
2009-05-20T00:12:16  <dennda> because then you don't need to nuke anything
2009-05-20T00:12:31  <ThomasWaldmann> of course there can only be a "rename" capability, if storage api can see a rename happening
2009-05-20T00:12:34  <dennda> the item is just really renamed
2009-05-20T00:13:52  <dennda> i'm tired, let's please come to an end for today
2009-05-20T00:14:15  <ThomasWaldmann> ok, we'll sleep a night over it. please update the page tomorrow with what we have.
2009-05-20T00:14:32  <dennda> jup
2009-05-20T00:14:35  <dennda> gn
2009-05-20T05:42:54  *** aigarius has joined #moin-dev
2009-05-20T07:18:51  *** aigarius has quit IRC
2009-05-20T08:48:02  <dreimark> moin
2009-05-20T09:12:10  <ThomasWaldmann> moin
2009-05-20T09:17:42  <dimazest> moin
2009-05-20T09:33:01  *** devilsadvocate_ has quit IRC
2009-05-20T14:43:35  *** devilsadvocate has joined #moin-dev
2009-05-20T16:12:40  <dreimark> dimazest: please rename Groups2009TestResults to a subpage of Groups2009
2009-05-20T16:12:53  <dimazest> ok
2009-05-20T16:13:18  <dreimark> you can add <<Navigation(children)>> to the main page
2009-05-20T16:13:37  <dreimark> same for the other page
2009-05-20T16:14:46  <dreimark> editorsGroup is only an editor Grop if the acls tell that
2009-05-20T16:15:08  <dreimark> there is no convention for group named editorsGroup
2009-05-20T16:15:21  <ThomasWaldmann> dennda: btw, I am likely unavailable this evening, so if you need more acl input, we should discuss before 1900
2009-05-20T16:15:48  <dreimark> dimazest: "have default postfix Group" is defined by the regex which is for en this default
2009-05-20T16:20:11  <dreimark> dimazest: the parser gets only first level items into the groups dictionary
2009-05-20T16:20:37  <dreimark> and if Food should be a Grop page it has to match the regex too
2009-05-20T16:22:29  <dimazest> yes, but there i'm not talking about Group Pages
2009-05-20T16:22:40  <dimazest> i'm talking in general, for any backend
2009-05-20T16:23:36  <dreimark> any backend has to have a rule what is group and what is a memeber
2009-05-20T16:23:43  <dreimark> (item)
2009-05-20T16:25:11  <dreimark> the current example looks like it is based on the rule to end with Group
2009-05-20T16:26:03  <dreimark> set will always return uniq items only
2009-05-20T16:27:04  <dimazest> but it can be done differently, for Pages it is regex
2009-05-20T16:27:17  <dreimark> I think we will need at least a log message when different backends do have name clashes
2009-05-20T16:27:27  <dimazest> but in the database groups and members can be stored in different tables
2009-05-20T16:27:40  <dreimark> phonecall
2009-05-20T16:29:06  <dreimark> re
2009-05-20T16:29:23  <dimazest> and i'm not sure that BaseGroupManager is dictionary which maps group name to the group object
2009-05-20T16:29:51  <dreimark> may be add a few more lines description to the example
2009-05-20T16:29:54  <dimazest> because if group object stores name inside
2009-05-20T16:30:15  <dimazest> then we can map 'SomeGroup' to group which name is 'OtherGroup'
2009-05-20T16:31:06  <dimazest> but, if BaseGroupManager is a set, it is not clear for me what should be hash function for group objects
2009-05-20T16:31:37  <dimazest> dreimark: example of Food and Vegetables?
2009-05-20T16:31:45  <dreimark> yes
2009-05-20T16:38:11  <dreimark> dimazest: the items are a set
2009-05-20T16:38:55  <dimazest> BaseGroup is a set of items (unicode strings)
2009-05-20T16:39:54  <dimazest> but is it an issue if the same group is defined in several backends?
2009-05-20T16:40:34  <dreimark> e.g. from the config_group
2009-05-20T16:40:36  <dreimark> groups = {u'FirstGroup': set([u"ExampleUser", u"SecondUser", u"JoeDoe", ]),
2009-05-20T16:40:43  <dreimark> u'SecondGroup': set([u"ExampleUser", u"ThirdUser", ]),
2009-05-20T16:40:48  <dreimark> }
2009-05-20T16:41:42  <dreimark> dimazest: for auth it is solved that way that the first auth which is working wins
2009-05-20T16:42:32  <dreimark> there is also the problem of differnt people  assigned to different accounts or same account
2009-05-20T16:42:53  <dimazest> dreimark: yes, example is correct
2009-05-20T16:46:15  <dreimark> the issue with same group is that you have to decide what to do.
2009-05-20T16:46:30  <dreimark> a) dropping the second
2009-05-20T16:46:37  <dreimark> b) merging the users
2009-05-20T16:47:13  <dreimark> c) ignoring the group and crying
2009-05-20T16:47:39  <dreimark> may be that wants to be configurable
2009-05-20T16:48:18  <dimazest> i was thinking for kind of merging
2009-05-20T16:48:57  <dimazest> when one asks, give me all members of group 'SomeGroup' we check every backend
2009-05-20T16:49:18  <dimazest> collect items, and return
2009-05-20T16:49:37  <dreimark> can work for config and wiki backend
2009-05-20T16:49:47  <dreimark> does not for ldap
2009-05-20T16:51:00  <dreimark> how do you solve the problem to make the mapping of a group which has differnt definitions
2009-05-20T16:51:17  <dreimark> while in the wikiconfig or on a page an acl is given to
2009-05-20T16:51:33  <dreimark> MyGroup:read,write
2009-05-20T16:52:47  <dreimark> you need somewhere to set MyGroup in the wiki is meant as XYZ in the other backend
2009-05-20T16:53:34  <dimazest> backends can define it in a different way
2009-05-20T16:53:59  <dimazest> the isiest solution is to MyGroup <-> MyGroup
2009-05-20T16:54:39  <dimazest> or, when we add group named One to the WikiPageBackend
2009-05-20T16:54:52  <dimazest> it is stored as OneGroup
2009-05-20T16:55:06  <dreimark> someone will use existing group definition which don't follow moins rules
2009-05-20T16:55:29  <dimazest> so, so he could define postfix Group
2009-05-20T16:56:06  <dimazest> but i think mapping should be MyGroup<->Mygroup
2009-05-20T16:56:31  <dimazest> if someone uses set up which does not follow Moin rules
2009-05-20T16:56:39  <dimazest> then he must write in acl
2009-05-20T16:56:52  <dimazest> Admins:read,write
2009-05-20T16:56:54  <dreimark> the problem is big companies do have already group definitions
2009-05-20T16:57:02  <dreimark> they just want to use them
2009-05-20T16:57:09  <dimazest> here group is called Admins
2009-05-20T16:57:35  <dimazest> is it possible to define such acl?
2009-05-20T16:57:43  <dreimark> currently with moins code that would not fit the regex and would be interpreted as user
2009-05-20T16:59:00  <dimazest> and this is done in the acl related code?
2009-05-20T16:59:37  <dimazest> then instead of regex something else must be used
2009-05-20T17:00:03  <dimazest> something like GroupDict.hasgroup(groupname)
2009-05-20T17:02:19  <dreimark> add this to your concept and think a bit more on that
2009-05-20T17:03:00  <dreimark> what else need to be changed etc.
2009-05-20T17:06:03  <dreimark> and about the mapping of groups from different backends.
2009-05-20T17:08:39  <dimazest> ok
2009-05-20T17:34:11  <dreimark> bbl
2009-05-20T17:40:36  <ThomasWaldmann> dimazest: I am not sure whether group merging from different backends wouldn't be overkill
2009-05-20T17:41:05  <ThomasWaldmann> usually a specific group should be defined at one place, not at multiple places
2009-05-20T17:41:27  <ThomasWaldmann> so a first-match approach seems to be enough to handle that
2009-05-20T17:42:20  <ThomasWaldmann> dimazest: and please: get away from that GroupDict / DictDict stuff
2009-05-20T17:44:00  <ThomasWaldmann> (I mean the method/class names)
2009-05-20T17:48:12  <dimazest> ThomasWaldmann: i used GroupDict, DictDict to understand needed functionality
2009-05-20T17:53:23  <ThomasWaldmann> we don't need much :)
2009-05-20T17:53:41  <ThomasWaldmann> groups and membership check mostly
2009-05-20T17:54:28  <ThomasWaldmann> and the membership check should NOT work like "get all group members list" and then check "x in memberlist"
2009-05-20T17:54:56  <ThomasWaldmann> (just imagine a ldap directory with 100.000 users ...)
2009-05-20T17:55:24  <ThomasWaldmann> there should be a member list function, but it should be used very carefully
2009-05-20T17:56:28  <dimazest> good point
2009-05-20T17:57:01  <dimazest> by the way, now there are different Group managers
2009-05-20T17:57:15  <dimazest> which deal with one backend
2009-05-20T17:57:37  <dimazest> e.g. ConfigGroupManager, WikiPagesGroupManager and so on
2009-05-20T17:58:38  <dimazest> do we need some higher level manager which deals with different backends, which means with ConfigGroupManager, WikiPagesGroupManager...
2009-05-20T17:58:51  <dimazest> so we can ask him if someone is in group
2009-05-20T17:59:01  <dimazest> and he checks backends in some order
2009-05-20T17:59:14  <dimazest> desides is it first mach order or something else an so on
2009-05-20T17:59:38  <dimazest> so other moin code will work with him
2009-05-20T18:13:48  <ThomasWaldmann> didn't we solve that already last year?
2009-05-20T18:14:35  <ThomasWaldmann> that like is some function getting a request object and a configured list of GroupManager items
2009-05-20T18:14:42  <ThomasWaldmann> +ly
2009-05-20T18:14:42  <dimazest> i need to look it up
2009-05-20T18:16:38  <dimazest> is it in mmihajleic repo?
2009-05-20T18:19:25  <ThomasWaldmann> yes
2009-05-20T18:23:20  <dimazest> ok i'll check it more carefully
2009-05-20T18:33:23  <dennda> ThomasWaldmann: what do you think the aclwrapperbackend you put together there is lacking? (sorry for the poor connection atm)
2009-05-20T18:33:55  <dennda> i just looked at it more closely and it looked the same way i'd have done it
2009-05-20T18:37:01  <ThomasWaldmann> maybe try executing it, it is more an idea than working code
2009-05-20T18:39:41  <dennda> yeah i'll fix a few minor things and inject it onto the request
2009-05-20T18:43:32  <dennda> ThomasWaldmann: did you see my changes to the acl page? maybe just proof-read it in case i forgot sth
2009-05-20T18:45:10  <ThomasWaldmann> admin :)
2009-05-20T18:45:40  <dennda> did we discuss that? or should i figure that out myself?
2009-05-20T18:46:23  <ThomasWaldmann> well, if you do it like in the past, it is not that hard
2009-05-20T18:46:38  <dennda> i guess admin is admin
2009-05-20T18:46:43  <ThomasWaldmann> but it wasn't trouble-free, so some more thoughts would be nice
2009-05-20T18:47:34  <ThomasWaldmann> the biggest trouble was that you could not have template pages with ACLs on them, because using them required admin capability
2009-05-20T18:47:44  <ThomasWaldmann> and most users don't have that
2009-05-20T18:48:21  <ThomasWaldmann> in the "collection" section are still some open questions / things
2009-05-20T18:49:47  <dennda> 'using' == manipulating the template's acl?
2009-05-20T18:53:51  <ThomasWaldmann> creating a new page based on template
2009-05-20T18:54:56  <ThomasWaldmann> but maybe we just want to solve that differently, like 1. create new page from latest template revision using system priviledges, 2. giving it to the user into editor
2009-05-20T19:09:27  *** grzywacz has joined #moin-dev
2009-05-20T19:11:12  <dennda> isn't that just copying?
2009-05-20T19:11:35  <dennda> template->new page, edit new page
2009-05-20T19:19:32  <dennda> ThomasWaldmann: guess you're gone, just pinging you so you don't miss this when you come back. off now myself
2009-05-20T20:45:37  <ThomasWaldmann> re
MoinMoin: MoinMoinChat/Logs/moin-dev/2009-05-20 (last edited 2009-05-19 22:15:02 by IrcLogImporter)