New permissions evaluation in 2.0
|New permissions evaluation|
|Assignee||Petr Škoda (škoďák)|
The main goals are to:
- replace current confusing permission evaluation
- improve performance
- enable improvements in permission overriding UI
Permission evaluation algorithm
- find all roles with given capability used in definition or override
- evaluate permissions in given context for each role separately (going from bottom to top in context tree, first found wins unless there is a CAP_PROHIBIT on any level above)
- user has capability if he/she has at least one role which evaluated to CAP_ALLOW and at the same time no role which was evaluated to CAP_PROHIBIT
has_capability() and get_users_by_capability() uses fixed number of queries. The result could be returned as sql query instead of database records.
The only potential problem is CAP_PREVENT in overrides when user has several conflicting roles. Originally this was highlighted as a special feature, unfortunately it was in fact the main source of confusion.