interreality.org [VOS]
[Home] [About]
[Screenshots]
 [Download]
[News]
 [Community]
[Documentation] [Manual]
[Bugs & Requests] [Wiki]
VOS::AccessControlState

VOS::AccessControlState Class Reference
[libvos]

#include <vos/vos/accesscontrolstate.hh>

List of all members.

Detailed Description

This class stores and manages the access control lists for a particular local Vobject.

Definition at line 16 of file accesscontrolstate.hh.

Public Member Functions

Constructor & Destructor Documentation

VOS::AccessControlState::AccessControlState ( VobjectBase myvobject  ) 

Constructor.

Parameters:
myvobject the Vobject to be managed by this AccessControlState object.

VOS::AccessControlState::~AccessControlState (  ) 

Destructor.

Member Function Documentation

void VOS::AccessControlState::addToACL ( const std::string &  ACLname,
Group grp 
)

Add a group to an access control list (ACL).

If this group exists in another ACL, it will be removed from that ACL first.

Parameters:
ACLname the name of the ACL. This is a comma-separated list of the access control policies to apply for each domain. For example "core:read-only,property:accept-all". Order does not matter (it will be sorted) but this access control list name is distict from just "core:read-only"!
grp the Group to add

void VOS::AccessControlState::addToACL ( const std::string &  ACLname,
Identity id 
)

Add an identity to an access control list (ACL).

If this identity exists in another ACL, it will be removed from that ACL first.

Parameters:
ACLname the name of the ACL. This is a comma-separated list of the access control policies to apply for each domain. For example "core:read-only,property:accept-all". Order does not matter (it will be sorted) but this access control list name is distict from just "core:read-only"!
id the Identity to add

void VOS::AccessControlState::deleteACL ( const std::string &  policies  ) 

Completely delete an ACL.

Parameters:
policies the name of the ACL. This is a comma-separated list of the access control policies to apply for each domain. For example "core:read-only,property:accept-all". Order does not matter (it will be sorted) but this access control list name is distict from just "core:read-only"!

VUtil::vRef<AccessControlList> VOS::AccessControlState::getACL ( const std::string &  policies  ) 

Get the access control list (ACL) associated with a particular name.

Parameters:
policies the ACL name, a comma-separated list of domain:policy pairs, the same as used by addToACL(), removeFromACL() and deleteACL().

ACLIterator VOS::AccessControlState::getAllACLs (  ) 

Returns:
all access control lists (ACL) that have been set.

StringIterator VOS::AccessControlState::getAvailablePolicies ( const std::string &  domain  ) 

Returns:
all policies in a particular policy domain that are available for use.

VUtil::vRef<VobjectBase> VOS::AccessControlState::getBase (  ) 

Returns:
the Vobject that these access control policies are applied to.

std::string VOS::AccessControlState::getDefaultPolicy ( const std::string &  domain = ""  ) 

Get the policy that is applied by default if the requester's identity or groups were not found in any ACL.

This is also the policy applied to anonymous users (users with no identity.)

Parameters:
domain the policy domain you are interested in. If blank, returns a comma-separated list of the policy in each domain.

Referenced by VOS::VobjectBase::getAccessControlsFor().

StringIterator VOS::AccessControlState::getPolicy ( const std::string &  domain,
Identity id 
)

Do an access control lookup; for some identity requesting access, this will return the appropriate policy in some domain based on the current access control lists.

Access control lookup works like this:

  1. Check each ACL to see if it lists this Identity. If so, we use that ACL's policy.
  2. Otherwise, check each ACL for groups that this Identity belongs to. If the Identity is a member of several Groups that are in different ACLs, then return the policy for each relevant ACL. The caller should check *every* policy to determine pass or fail -- this is up to the caller, but commonly in VOS code if any policy grants permission then permission is given. This means that groups can be used to add permissions, but not take them away! Design you access control scheme accordingly (and make the default permissions as restrictive as possible).
  3. Otherwise, because neither the Identity nor any Group it is a member of appear in any ACL, the default access control is returned.

Parameters:
domain the policy domain of interest
id the identity requesting access

Referenced by VOS::VobjectBase::getAccessControlsFor().

void VOS::AccessControlState::removeFromACL ( const std::string &  ACLname,
Group grp 
)

Remove a Group from an access control list (ACL).

The ACL will be deleted when the last member is removed.

Parameters:
ACLname the name of the ACL. This is a comma-separated list of the access control policies to apply for each domain. For example "core:read-only,property:accept-all". Order does not matter (it will be sorted) but this access control list name is distict from just "core:read-only"!
grp the Group to add

void VOS::AccessControlState::removeFromACL ( const std::string &  ACLname,
Identity id 
)

Remove an Identity from an access control list (ACL).

The ACL will be deleted when the last member is removed.

Parameters:
ACLname the name of the ACL. This is a comma-separated list of the access control policies to apply for each domain. For example "core:read-only,property:accept-all". Order does not matter (it will be sorted) but this access control list name is distict from just "core:read-only"!
id the Identity to add

void VOS::AccessControlState::setDefaultPolicy ( const std::string &  policy  ) 

Set the default policy.

Parameters:
policy the policy. This only affects the domains listed. For example, if your current default policy is "core:read-only,property:accept-all" and you call setDefaultPolicy("property:read-only") the resulting default policy will be "core:read-only,property:read-only".

The documentation for this class was generated from the following file: