Changes between Version 3 and Version 4 of UserGuidelines/Admin/Permissions/Rules


Ignore:
Timestamp:
02/09/17 10:16:49 (5 years ago)
Author:
Dominic König
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • UserGuidelines/Admin/Permissions/Rules

    v3 v4  
    9797
    9898In particular, non-ACL rules can not allow access to controllers while ACL rules deny it.
     99
     100== A-Roles ==
     101
     102ADMIN has all roles (=auth.s3_has_role is always True if the user is ADMIN, regardless of the role asked for).
     103
     104ADMIN has all permissions (=auth.s3_has_permission is always True if the user is ADMIN)
     105
     106auth.s3_has_role(ANONYMOUS) is always True (ANONYMOUS role is assigned to all users, even if not logged-in)
     107
     108auth.s3_has_role(AUTHENTICATED) is always True when the user is logged in (AUTHENTICATED role is automatically assigned to the user when logged-in)
     109
     110== Session Ownership ==
     111
     112Records created during a session are owned by that session, and oACLs apply like for personally owned records (i.e. without realm restriction) - even if the user is not logged in.
     113
     114This ownership ends when the user logs in or out, or when the session is otherwise termindated or cleared.
     115
     116Session ownership allows anonymous users to temporarily own the records they create, and thus to apply oACL rules even for unauthenticated users (=allow e.g. update or delete without the need to allow it for all records)