[development] Deleting Cached Permissions
David Metzler
metzlerd at metzlerd.com
Tue Aug 28 02:56:34 UTC 2007
Although I'm not sure I share your view, I can certainly respect your
opinion here. At one point in time. Ron is bumping up against hard
limits on node_access which currently does not allow for value based
security to be attached to a node add event. On the issue in
question, several alternatives were debated, but none got any
traction. All have suggested node_access revamp. Which is a much
bigger issue.
That being said, the static caching of mechanism of user_cache will
affect any module that tries to elevate roles behind the scenes
whether temporary or permanently. These are potential issues for
other modules such as LDAP groups or others that seek to set role
membership based on a login event without user intervention. I think
that having control over a cache mechanism is not an unreasonable
request. Or stated in another way, I'm not sure that giving
developers control over a cache mechanism is a security concern.
So yes, I noticed, but this seemed like the most secure of the
options that I've seen IMHO. Time will tell wether core commit team
agrees.
Dave
On Aug 25, 2007, at 1:52 AM, Gerhard Killesreiter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> David Metzler schrieb:
>> The permissions (user roles) are being altered temporarily. The
>> reasons
>> are documented in the issue Ron has referenced.
>
> I've said it once and I say it again since apparently nobody noticed:
>
> Temporarily changing user roles (per page request) is (currently)
> unsupported by Drupal.
>
> I'd even argue that it shouldn't be supported and that what Ron is
> doing
> should be achieved in another way.
>
> Cheers,
> Gerhard
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFGz9tkfg6TFvELooQRAu7yAKCHUg0KbF+Aj0l5VsE4Nmn6cTUTmgCgo39m
> G+VDt5ihnhiN7eEGKXg9lX8=
> =llJu
> -----END PGP SIGNATURE-----
>
More information about the development
mailing list