Privilege inheritance in group hierarchies

[flack]

Reported by flack on 22 May 1978 02:14 UTC midcom_core_user includes functionality for recursively collecting privileges from group hierarchies, but the feature is commented out. Re-enabling it would give us an inheritance mechanism where child groups inherit their parents' permissions.

The question is whether this is the desired behavior. Alternatively, parent groups could aggregate their children's privileges (as indicated by the comment in the source), but that might result in lower performance in large group trees. The best way to implement this would probably be to modify the behavior of midcom_core_group::list_memberships() to include subordinate groups.

Another possibility would be to use a config setting or individual MIDCOM_PRIVILEGE_INHERIT privileges to indicate whether or not child groups should inherit their parents' privileges, but there would have be to a UI for that.

Migrated-From: http://trac.openpsa2.org/ticket/149

[flack]

according to http://trac.midgard-project.org/changeset/1353, it's supposed to work like this:

everyone -> root group -> sub group(s) -> virtual group(s) -> user privilieges