Filtering permissions list

[dreed]

Hi all:

We are working on an application that deals with user management. The application uses Acegi ACL to manage what rights users have over other users. User permissions are inherited, so that superuser sees and manages everyone, and sub users who have the role of ROLE_USER_MANAGER can manage users below them in the ACL hierarchy. User managers can also view and delete permissions assigned to users below themselves in the hierarchy. The application calls getAcls in the Acegi class AclManager to get a list of Acls pertaining to a specific user. Here is my question: is there any way to easily filter which permissions get shown? For example if we have users called grandparent, parent and child, parent shouldn't see grandparent's permissions over child, even though grandparent has inherited permissions over child. I would also like to filter out the __INHERITANCE_MARKER_ONLY__ permission. The Acl system correctly doesn't allow children to delete their parents permissions so it seems Acegi has some notion of where Acl entries belong in the inheritance hierarchy.

Any help much appreciated,

Dave

[dreed]

Hi:

For anyone else needing to do something, here is a solution that seems to work. You can iterate through all of the Acl parents of an object using SimpleAclEntry's getAclObjectParentIdentity() method. If the current user has a matching parent identity, do not return the result. In this way, users can be restricted to seeing only ACL information for objects below them in the ACL inheritance hierarchy.

HTH,

Dave

[Ben Alex]

The Acl system correctly doesn't allow children to delete their parents permissions so it seems Acegi has some notion of where Acl entries belong in the inheritance hierarchy.

Say grandparent has an ACL of "bob:read". This will inherit to parent. If child does not want Bob to have permission, there will be an ACL of "bob:none" against parent. In turn child will have no permissions for Bob at all.

If you wish to know which domain object instance caused an ACL to be added to the array of AclEntry[]s applicable to a given domain object, you can iterate the BasicAclEntry (of which SimpleAclEntry is an implementation) and use this method:

/**
* Indicates the domain object instance that is subject of this
* <code>BasicAclEntry</code>. This information may be of interest to
* relying classes (voters and business methods) that wish to know the
* actual origination of the ACL entry (so as to distinguish individual
* ACL entries from others contributed by the inheritance hierarchy).
*
* @return the ACL object identity that is subject of this ACL entry (never
* <code>null</code>)
*/
public AclObjectIdentity getAclObjectIdentity();

[dreed]

Cool, thanks, Ben.