OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cmis-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Should "object-only" be implemented in applyACL, and how?

Hi,

I'm a bit confused with the interpretation of the behavior of CMIS ACL inheritance.

As far as I see, which object should be inherited by an object and how its permissions are inherited are out of CMIS specs, it's a repository-specific matter. CMIS only says each ACE is calculated in a "direct / non-direct" way.
  • applyACL method can holds "object-only"parameter. Does it mean that an ACE which is applied by "object-only" mode is not inherited to other objects even when these objects are under the inheritance relationship, like descendants? If so, I need to hold a inheritance flag on each ACE on an object besides inheritance relationship between objects. Am I right in this understanding?
  • Both ACL capabilities and applyACL's parameters have "object only" / "propagate" value. CMIS spec says ACL capabilities "propagate" includes the support for "object only" (2.1.12.3). Does it mean if I want to  permit my repository to propagate ACL along the inheritance relationship it is also required to implement "object-only" ACL calculation? 
    • If possible, I just want to implement only "propagate" mode and switching on / off of the inheritance without implementing "object-only" mode. For example, suppose that a parent object's ACE(which includes local ACEs and other ACEs inherited from the ancestor) are all inherited to children, there is no room for "object-only" mode. ACEs to be inherited are all or nothing. Can I do that in compliance with CMIS? In fact, Alfresco does not support "object-only", only does "propagate" and implements the inheritance flag out of CMIS.  https://forums.alfresco.com/forum/developer-discussions/alfresco-api/cmis-acl-06212012-0622
    • I found the ancient description about "object-only" and "propagate" at CMIS Domain Model v0.62c (http://xml.coverpages.org/CMIS-PartI-DomainModel-V062c.pdf).  It tells that in "object-only" mode the repository is able to “break” the dependency for non-direct ACEs when requested by the client. It may cause a bit conflict about my understanding about object's inheritance and ACE's "object-only" mode.
  • applyACL method needs ACE parameters which can hold a "direct" flag. When I add / update an ACE, should I also reflect its direct flag as specified by the input? I suppose the direct flag is just for output, not for input, and it is decided after calculation of ACL based on inheritance(and maybe "object-only" flag on each ACE). CMIS seems not to say so clearly…
As I'm developing a CMIS server product from scratch, I have not yet existing ACL inheritance implementation which is to be covered by CMIS, and so I want to adjust it to CMIS specs as possible.  


Regards,
linzhixing.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]