2 Replies Latest reply on Apr 17, 2003 8:38 PM by Viet

    jeeez I've understood PN model security !

    Viet Master

      after 2 hours spent on PN doc without understanding
      clearly what they tried to mean, sourcecode gave
      me the answer.

      for a party (user or group) you define a set of rules
      in the following form :

      let RG be a regular expression that looks like :
      "A:B:C" . Where A, B, C are themselves regular expressions without ':' inside.

      For instance : "ABC:.*:(AB|CD)"

      Then we define a list of rules : ( ( RG1 , RG2 , x ), .. )

      where x is an integer and the two other things are regular expressions like RG.

      after that given two strings S1 and S2 we will calculate an integer with the following algorithm :

      for each rule from the rule list
      if rule.rg1 matches S1 and rule.rg2 matches S2
      it's finished, return rule.x

      after that given a number we compare the returned level and that number and grant or not the right to do something.

      so the function become :

      calculte(string s1, string s2,set of rules)

      and is used like that :

      auth(int x,string s1,string s2)
      {
      gid = get group id of current user;
      rules = the set of rules associed to gid
      result = calculate(s1,s2,rules)
      if (result >= x)
      return true
      else
      return 0
      }

      of course it's a little bit more complicated
      in source code but I give the big lines.

      examples of RG : ABC:.*:(A|B)
      examples of string : ABC:TTT:B
      they will match

      julien

        • 1. Re: jeeez I've understood PN model security !
          Alex Shneyderman Newbie

          Hey cooper can you explain how is this done on a simple example, from core module's permissions. Let's say:

          2:200:block:menu:published:youraccount:main:.*

          or

          2:200:module:youraccount:published:user:(edithome|edituser|chgtheme|logout):.*

          This is confusing ...

          Thanks,
          Alex.

          • 2. Re: jeeez I've understood PN model security !
            Viet Master

            > Hey cooper can you explain how is this done on a
            > simple example, from core module's permissions. Let's
            > say:
            >
            > 2:200:block:menu:published:youraccount:main:.*
            >
            > or
            >
            > 2:200:module:youraccount:published:user:(edithome|edit
            > ser|chgtheme|logout):.*

            let's explain the second rule.

            okay, if you look at module youraccount you will see the code :

            if (api.secAuthAction(
            "module:youraccount:published",
            moduleMetaData.getName() + ":" + operationMetaData.getName() + ":",
            Constants.SEC_ACCESS_READ))
            {
            // then display an icon + a link
            }

            the rule :

            "2:200:module:youraccount:published:user:(edithome|edituser|chgtheme|logout):.*"

            you have to split it :

            2 : group ID
            200 : acces read
            module:youraccount:published : component instance
            user:(edithome|edituser|chgtheme|logout):.* : test instance

            that means that plain users will be able to display
            link in youraccount module to the module operation :

            user : edithome
            user : editusr
            user : chgtheme
            user : logout

            when api.secAuthAction is called
            it will say yes for module meta data
            user and operation metadata edithome, editusr, chgtheme, logout.

            basically the rule

            "module:youraccount:published" will match the componentinstance : "module:youraccount:published"

            because string are same (but first must be thought as a regular expression)

            "user:(edithome|edituser|chgtheme|logout):.*" will match all constructed string such as
            "user:edithome:" for instance.

            I hope it's clear enough.

            The best is to check CoreModule security and the class SecurityRule.

            Nukes security is quite hard to figure out but once you've understood it's clear. But it's not easy to explain it.

            Remember : security rules are stupid regular expression, a-la-unix.

            julien

            >
            > This is confusing ...
            >
            > Thanks,
            > Alex.