Ticket #764 (closed Enhancement: fixed)
Access Control: introduce "System" role
Reported by: | jri | Owned by: | jri |
---|---|---|---|
Priority: | Major | Milestone: | Release 4.6 |
Component: | DeepaMehta Standard Distribution | Version: | 4.5 |
Keywords: | Cc: | dgf, Malte, JuergeN | |
Complexity: | 3 | Area: | |
Module: | deepamehta-accesscontrol |
Description
The "System" itself must be seen as an authority in its own. The System needs unrestricted access to the database, in order e.g. to convert the entire DB content in the course of a system upgrade.
The System authority should be implicitly in effect for all code that is invoked by the system itself -- as opposed to be invoked by a user. That applies mainly to the code executed when the system starts up. In particular all migrations must run under the System authority.
Technically the System authority could be realized straight-forward. No dedicated user account or "role" must be introduced. Instead all code that is executed outside a request scope can be regarded to run as "System". In contrast code running in request scope is always invoked by a (possibly anonymous) user.