[development] Deleting Cached Permissions

[David Metzler]

Although I'm not sure I share your view, I can certainly respect your  
opinion here.  At one point in time.  Ron is bumping up against hard  
limits on node_access which currently does not allow for value based  
security to be attached to a node add event.   On the issue in  
question, several alternatives were debated, but none got any  
traction. All have suggested node_access revamp.  Which is a much  
bigger issue.

That being said, the static caching of mechanism of user_cache will  
affect any module that tries to elevate roles behind the scenes  
whether temporary or permanently.  These are potential issues for  
other modules such as LDAP groups or others that seek to set role  
membership based on a login event without user intervention.  I think  
that having control over a cache mechanism is not an unreasonable  
request. Or stated in another way, I'm not sure that giving  
developers control over a cache mechanism is a security concern.

So yes, I noticed, but this seemed like the most secure of the  
options that I've seen IMHO.  Time will tell wether core commit team  
agrees.

Dave



On Aug 25, 2007, at 1:52 AM, Gerhard Killesreiter wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> David Metzler schrieb:
>> The permissions (user roles) are being altered temporarily.  The  
>> reasons
>> are documented in the issue Ron has referenced.
>
> I've said it once and I say it again since apparently nobody noticed:
>
> Temporarily changing user roles (per page request) is (currently)
> unsupported by Drupal.
>
> I'd even argue that it shouldn't be supported and that what Ron is  
> doing
> should be achieved in another way.
>
> Cheers,
> 	Gerhard
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFGz9tkfg6TFvELooQRAu7yAKCHUg0KbF+Aj0l5VsE4Nmn6cTUTmgCgo39m
> G+VDt5ihnhiN7eEGKXg9lX8=
> =llJu
> -----END PGP SIGNATURE-----
>