WPI GDC Club Management System — Access Control Lists (ACLs)
Access Control Lists are a method of specifying who has what rights to take certain actions.
In the case of the CMS, ACLs have three generic properties taken straight from the Unix world: Read, Write, and
Execute. Read and Write are the most obvious permissions, Read corresponds to being able to view the resource,
while Write is the ability to change the resource.
This leaves Execute. The Execute privilege varies from resource to resource. In the
case of forums, the Execute privilege corresponds to Moderating posts. The Execute privilege is the generic
“other” privilege. (There are actually room for eight privileges, since the privileges are stored
as an 8-bit wide bit field. Only the bottom three are defined as being Read, Write, and Execute.)
Each ACL contains a list of users or groups of users and the permissions that each user or group
has in the list. The list is read from the top down – the first time a permission matches the user who
is being checked for a permission, that permission is used. For example, assume that we are checking a user
named “Andy.” If we look at an ACL that contains the following:
User/Group |
Read |
Write |
Execute |
Moderator Group |
|
|
|
Troll Group |
|
|
|
<Default> |
|
|
|
Then if Andy is in the “Moderator” group, he was Read, Write, and Execute
privileges, even if he's also in the “Troll” group. The <Default> Group is a
special group - every access control list have default privileges, listed usually as belonging to
<Default>. If a user isn't found in any of the groups, then the default privileges are used
– if Andy isn't in the Moderator Group or in the Troll Group, the <Default> privileges are
applied.
|