Permission Inheritance
#1
Let's say you are using info.lua to setup your permission system.

When you have the permission for a subcommand, you can only use that subcommand. Fairly reasonable.

Although, I think that if you have permission to the command then you should be granted access to all sub commands.

Why?
It's conveniant so I can do something like plugin.* as a permission to grant all permissions. This is useful for ranks to be assigned full use of plugins without adding each one one by one. This was very tedious for me when I used bukkit when plugins didn't include it. It's also a much easier solution than doing permission checking in each handler function.
Reply
Thanks given by:
#2
That's not a good idea, because of the multi-word commands based on a single word. Let's consider the Gallery plugin: it has a "/gallery claim" command and "/gallery reset" command. The first one should be available to all players, the second one should be available only to admins. So there's just no way to have "one command sets permissions for all commands"

When you write a plugin, you should structure your permissions properly (Gallery is a poor example, unfortunately). Make a guess at what the groups for individual commands are, and make use of permission subgroups:
"plugin.user.something1"
"plugin.user.something2"
"plugin.admin.dangerous1"
"plugin.admin.dangerous2"
This way admins can add "plugin.user.*" permission to their user rank and be done with it.

Of course, MCS supports "antipermissions", too. You can add the permission "gallery.*" and then specify restrictions as "gallery.admin.*".

I'd say these are powerful enough for most cases.
Reply
Thanks given by:
#3
(05-18-2015, 06:25 AM)xoft Wrote: That's not a good idea, because of the multi-word commands based on a single word. Let's consider the Gallery plugin: it has a "/gallery claim" command and "/gallery reset" command. The first one should be available to all players, the second one should be available only to admins. So there's just no way to have "one command sets permissions for all commands"

When you write a plugin, you should structure your permissions properly (Gallery is a poor example, unfortunately). Make a guess at what the groups for individual commands are, and make use of permission subgroups:
"plugin.user.something1"
"plugin.user.something2"
"plugin.admin.dangerous1"
"plugin.admin.dangerous2"
This way admins can add "plugin.user.*" permission to their user rank and be done with it.

Of course, MCS supports "antipermissions", too. You can add the permission "gallery.*" and then specify restrictions as "gallery.admin.*".

I'd say these are powerful enough for most cases.

I think you didn't understand my point. What I was saying, players are completely irrelevant. What I was saying is that doing gallery.* granted access to all sub commands. The multi-word commands. Some way to cut down from typing out EVERY command. Does MCS support .* to give all permissions of the sub permission? Like plugin.admin.* plugin.* plugin.user.*

And what about rank inheritance? Is that implemented?
Reply
Thanks given by:
#4
(05-18-2015, 07:10 AM)Shadowraix Wrote: Does MCS support .* to give all permissions of the sub permission? Like plugin.admin.* plugin.* plugin.user.*

And what about rank inheritance? Is that implemented?

In short:
Yes, no.
Reply
Thanks given by:
#5
well the default permission in core is * which has a permission group name 'Everything' so yes I would say it supports the wildcard for 'all sub.permissions of x permission'

it's just good practice to not use it unless needed because sometimes using the wildcard will also give you negative permissions... for example

permission.*

could include

permission.deny.*

which could be a permission used to deny access to a command or feature.
Reply
Thanks given by:
#6
We should never have a "permission.deny.something" kind of a permission. That would be a very poorly written plugin. Instead, the server does, in fact, support restrictions (permissions that are explicitly denied for the player), so that you can give players the "gallery.*" permission and then give them "gallery.admin.*" restriction, and it works as you'd expect - they can do user stuff, but not admin stuff.
Reply
Thanks given by:
#7
(05-19-2015, 04:36 PM)xoft Wrote: We should never have a "permission.deny.something" kind of a permission. That would be a very poorly written plugin. Instead, the server does, in fact, support restrictions (permissions that are explicitly denied for the player), so that you can give players the "gallery.*" permission and then give them "gallery.admin.*" restriction, and it works as you'd expect - they can do user stuff, but not admin stuff.

I agree that negative permission should not exist but in some instance for bukkit plugins , they have but whether or not it was even needed I can't answer it was a long time ago that I had dealt with it.
Reply
Thanks given by:




Users browsing this thread: 1 Guest(s)