Library for handling permissions.
This is a generic permissions system. The idea is to programatically allow/deny access to anything based on user, group, and "other" permissions.
If you understand Linux filesystem permissions, you should understand this system intrisically. It is based upon that system.
This system denies access by default: if a request is made for which there is no rule, permission is denied. This is a pretty basic system, lacking formal tie-ins to other tables. This simplicity is by design: avoiding any unnecessary linkage to other tables ensures maximum usability with minimal barrier to entry.
The thing that needs to have permissions assigned is stored in the
The user that owns it is assigned with the
user_id field as an integer. The
group that owns it is assigned with the
group_id field as an integer. When
requesting permission, the default is to deny: if no object matches the query,
it is assumed that the permissions are
There is no concept of parent/child relationships, so each object is considered a stand-alone entity. It should be fairly easy to extend this system to accomodate that concept.
perms field is a number that indicates user, group, and other permissions,
all together. So, given the value
3 indicates user permissions,
2 indicates group permissions, and the
1 indicates other.
Values for these fields are as follows:
1is for EXECUTE (with
xused for shorthand) privilege.
2is for WRITE (with
wused for shorthand) privilege.
3is for READ (with
ras shorthand) privilege.
The allowed privileges are added together to show what is allowed and what isn't. The breakdown is as follows
---access denied (no read, no write, no execute)
--x(no read, no write, +execute)
-w-(no read, +write, no execute)
-wx(no read, +write, +execute)
r--(+read, no write, no execute)
r-x(+read, no write, +execute)
rw-(+read, +write, no execute)
rwxfull access (+read, +write, +execute)
So, to expand on that, you can read the following values as:
777== full access to owner, group, and other (
532== read+execute for owner, write+execute for group, write for other (
007== no access to user/group, full access to other (
700== user has full access, but nobody else does (
It's somewhat important to know the order in which permissions are determined. So here it is.
- user: if the
user_idmatches, the first set of permissions (the left-most set) are used.
- group: if the
user_iddoes not), the group permissions are used.
- other: if neither
group_idmatch, the other permissions are used.
TODO: put in some examples.