WPI GDC Club Management System — Access Control Lists (ACLs)

Access Control Lists are a method of specifying who has what rights to take certain actions.  In the case of the CMS, ACLs have three generic properties taken straight from the Unix world: Read, Write, and Execute.  Read and Write are the most obvious permissions, Read corresponds to being able to view the resource, while Write is the ability to change the resource.

This leaves Execute.  The Execute privilege varies from resource to resource.  In the case of forums, the Execute privilege corresponds to Moderating posts.  The Execute privilege is the generic “other” privilege.  (There are actually room for eight privileges, since the privileges are stored as an 8-bit wide bit field.  Only the bottom three are defined as being Read, Write, and Execute.)

Each ACL contains a list of users or groups of users and the permissions that each user or group has in the list.  The list is read from the top down – the first time a permission matches the user who is being checked for a permission, that permission is used.  For example, assume that we are checking a user named “Andy.”  If we look at an ACL that contains the following:

User/Group Read Write Execute
Moderator Group
Troll Group
<Default>

Then if Andy is in the “Moderator” group, he was Read, Write, and Execute privileges, even if he's also in the “Troll” group.  The <Default> Group is a special group - every access control list have default privileges, listed usually as belonging to <Default>.  If a user isn't found in any of the groups, then the default privileges are used – if Andy isn't in the Moderator Group or in the Troll Group, the <Default> privileges are applied.

Return HomeUp One LevelPrevious ArticleNext ArticleSourceForge Logo