On 05/22/2016 12:08 AM, Harshit Bansal wrote:
Hi Simon, This is the discussion that I was referring to:
Harshit Bansal writes:
I think the "Permissions Systems" would have nothing to do with the core. It would be related to Postorius. We will have to create a style model separately in Postorius which would store the style name and the user who created it. Then only the user who has created the style would be granted the permission to edit it.
Stephen J. Turnbull wrote:
Thanks, Harshit Bansal
Hi, Earlier, while discussing the permission system for manging styles, it was decided that the permissions system should be enforced in the core rather than in the postorius since otherwise it can be bypassed(deliberately or undeliberately). But one thing that I think I forgot to discuss was that currently there is no authorisation system in the core and now I am unable to figure out that how could the permissions be enforced in the core without an authorisation system. Should I workout an authorisation system for the core first or enforce permissions in postorius only?
After reading this and your proposal, I'm wondering why you want to add the permission system in postorius.
You are storing the styles in core, and grant permissions based on list/domain/site ownerships. All this information is in core.
Currently mailmanclient exposes everything, not caring about permissions. You have admin rights, whoever uses mailmanclient has to manage access on their own.
We currently have @list_moderator_required that we use in postorius. We are not doing anything with domain or site owners, but they should be pretty easy to implement.
While in theory it would be possible to enforce permissions in core about who is allowed to call specific rest calls, this would require a lot of changes. I'm not sure we want to go this way.
There are some things in core, that suggest that this might come sometime. (Users have passwords and you can authenticate them) But I guess this is somewhat legacy and will be dropped sometime in the future.