2 Replies Latest reply on Apr 17, 2003 8:38 PM by julien1

jeeez I've understood PN model security !

julien1 Jan 16, 2003 4:44 PM

after 2 hours spent on PN doc without understanding
clearly what they tried to mean, sourcecode gave
me the answer.

for a party (user or group) you define a set of rules
in the following form :

let RG be a regular expression that looks like :
"A:B:C" . Where A, B, C are themselves regular expressions without ':' inside.

For instance : "ABC:.*:(AB|CD)"

Then we define a list of rules : ( ( RG1 , RG2 , x ), .. )

where x is an integer and the two other things are regular expressions like RG.

after that given two strings S1 and S2 we will calculate an integer with the following algorithm :

for each rule from the rule list
if rule.rg1 matches S1 and rule.rg2 matches S2
it's finished, return rule.x

after that given a number we compare the returned level and that number and grant or not the right to do something.

so the function become :

calculte(string s1, string s2,set of rules)

and is used like that :

auth(int x,string s1,string s2)
{
gid = get group id of current user;
rules = the set of rules associed to gid
result = calculate(s1,s2,rules)
if (result >= x)
return true
else
return 0
}

of course it's a little bit more complicated
in source code but I give the big lines.

examples of RG : ABC:.*:(A|B)
examples of string : ABC:TTT:B
they will match

julien

1. Re: jeeez I've understood PN model security !

h2o_polo Apr 17, 2003 6:45 PM (in response to julien1)

Hey cooper can you explain how is this done on a simple example, from core module's permissions. Let's say:

2:200:block:menu:published:youraccount:main:.*

or

2:200:module:youraccount:published:user:(edithome|edituser|chgtheme|logout):.*

This is confusing ...

Thanks,
Alex.
Actions
2. Re: jeeez I've understood PN model security !

julien1 Apr 17, 2003 8:38 PM (in response to julien1)

> Hey cooper can you explain how is this done on a
> simple example, from core module's permissions. Let's
> say:
>
> 2:200:block:menu:published:youraccount:main:.*
>
> or
>
> 2:200:module:youraccount:published:user:(edithome|edit
> ser|chgtheme|logout):.*

let's explain the second rule.

okay, if you look at module youraccount you will see the code :

if (api.secAuthAction(
"module:youraccount:published",
moduleMetaData.getName() + ":" + operationMetaData.getName() + ":",
Constants.SEC_ACCESS_READ))
{
// then display an icon + a link
}

the rule :

"2:200:module:youraccount:published:user:(edithome|edituser|chgtheme|logout):.*"

you have to split it :

2 : group ID
200 : acces read
module:youraccount:published : component instance
user:(edithome|edituser|chgtheme|logout):.* : test instance

that means that plain users will be able to display
link in youraccount module to the module operation :

user : edithome
user : editusr
user : chgtheme
user : logout

when api.secAuthAction is called
it will say yes for module meta data
user and operation metadata edithome, editusr, chgtheme, logout.

basically the rule

"module:youraccount:published" will match the componentinstance : "module:youraccount:published"

because string are same (but first must be thought as a regular expression)

"user:(edithome|edituser|chgtheme|logout):.*" will match all constructed string such as
"user:edithome:" for instance.

I hope it's clear enough.

The best is to check CoreModule security and the class SecurityRule.

Nukes security is quite hard to figure out but once you've understood it's clear. But it's not easy to explain it.

Remember : security rules are stupid regular expression, a-la-unix.

julien

>
> This is confusing ...
>
> Thanks,
> Alex.
Actions

Go to original post