A tag @profile:user on a prefix, causes the tag to expand to every effective tag that the user from the tag has in that prefix.
If a tag comes from an expansion but there is already another tag set explicitly on the prefix, the latter prevails
I cant find any security issue with this method, because the only one who can grant permissions on an user for a prefix, is an admin of that prefix which already could do that, and the only tags added are those related to the prefix being administered.
Example:
If the stored tags are
User
Prefix
Tag
root
.
@admin:true
foo
bar
testTag:123
unpriv
test
@profile:root
unpriv
bar
testTag:987, @profile:foo
When the user unpriv gets loaded and expanded, it becomes:
User
Prefix
Tag
unpriv
test
@profile:root, @admin:true
unpriv
bar
testTag:987, @profile:foo
Do we keep the @profile:user syntax? This limits an user to being able to inherit tags from one user only. Is this what we want?
pho
commented
8 years ago
This is a proposal for fixing #8
A tag
@profile:useron a prefix, causes the tag to expand to every effective tag that the user from the tag has in that prefix.If a tag comes from an expansion but there is already another tag set explicitly on the prefix, the latter prevails
I cant find any security issue with this method, because the only one who can grant permissions on an user for a prefix, is an admin of that prefix which already could do that, and the only tags added are those related to the prefix being administered.
Example:
If the stored tags are
.@admin:truebartestTag:123test@profile:rootbartestTag:987,@profile:fooWhen the user unpriv gets loaded and expanded, it becomes:
test@profile:root,@admin:truebartestTag:987,@profile:fooDo we keep the
@profile:usersyntax? This limits an user to being able to inherit tags from one user only. Is this what we want?