On 17.01.2012 20:54, Johan Corveleyn wrote:
> But, but ... if you're able to checkout ^/foo/bar/baz, then you
> already know that foo and foo/bar
In the ACL world, there is a difference between "lookup" and "read"
access. In your example, the user has permission to lookup ^/foo and
^/foo/bar, but not to read them; whereas she can read ^/foo/bar/baz.
"Lookup" implies that you can perform operations on the node's
descendants (based on their access flags), but not access the node's
properties -- and that includes not allowing directory enumeration. In
other words, "lookup" access on ^/foo/bar means that you may be able to
open(^/foo/bar/baz) if you have appropriate access to .../baz, but not
readdir(^/foo/bar) == so someone has to tell you that ^/foo/bar/baz
exists since you can't discover that by walking down the directory tree.
Some models always allow lookup, others allow you to turn it off. It all
depends on how many non-obvious edge cases you want to introduce in your
ACL model. :)
Received on 2012-01-21 20:22:37 CET