11.. _permissions :
22.. include :: references.rst
33
4+ .. default location to quickly reference items without the explicit and long prefix
5+ .. using the full name when introducing the element (to make the location obvious), the reuse shorthand variant
6+ py :currentmodule :: magpie.permissions
7+
48===========
59Permissions
610===========
@@ -368,7 +372,8 @@ Permissions Definition and Modifiers
368372 Previous versions of `Magpie ` employed literal ``[permission_name] `` and ``[permission_name]-match `` to
369373 respectively represent recursive and match ``scope `` over the hierarchy of :term: `Resource `.
370374 All ``-match `` suffixed :term: `Permission ` names are now deprecated in favor of modifiers presented in this section.
371- Furthermore, the `Deny ` concept is introduced via ``access `` field, which did not exist at all in previous versions.
375+ Furthermore, the :attr: `Access.DENY ` concept is introduced via ``access `` field, which did not exist at all in
376+ previous versions.
372377
373378When applying a :term: `Permission ` on a :term: `Service ` or :term: `Resource ` for a :term: `User ` or :term: `Group `, there
374379are 3 components considered to interpret its definition:
@@ -389,11 +394,12 @@ The ``access`` component is defined by :class:`magpie.permissions.Access` enum.
389394correspondingly grant or remove the :term: `Permission ` for previously denied or allowed :term: `User ` or :term: `Group `
390395when resolving the :term: `Resource ` tree hierarchy. This helps solving special use cases where different inheritance
391396conditions must be applied at different hierarchy levels. By default, if no ``access `` indication is provided when
392- creating a new :term: `Permission `, `Allow ` is employed since `Magpie ` resolves all ``access `` to a :term: `Resource `
393- as `Deny ` unless explicitly granted. In other words, `Magpie ` assumes that administrators adding new :term: `Permission `
394- entries indent to grant :term: `Service ` or :term: `Resource ` access for the targeted :term: `User ` or :term: `Group `.
395- Any :term: `Permission ` specifically created using `Deny ` should be involved only to revert a previously resolved
396- `Allow `, as they are otherwise redundant to default :term: `Effective Permissions ` resolution.
397+ creating a new :term: `Permission `, :attr: `Access.ALLOW ` is employed since `Magpie ` resolves all ``access `` to a
398+ :term: `Resource ` as :attr: `Access.DENY ` unless explicitly granted. In other words, `Magpie ` assumes that administrators
399+ adding new :term: `Permission ` entries indent to grant :term: `Service ` or :term: `Resource ` access for the targeted
400+ :term: `User ` or :term: `Group `. Any :term: `Permission ` specifically created using :attr: `Access.DENY ` should be involved
401+ only to revert a previously resolved :attr: `Access.ALLOW `, as they are otherwise redundant to default
402+ :term: `Effective Permissions ` resolution.
397403
398404The ``scope `` concept is defined by :class: `magpie.permissions.Scope ` enum. This tells `Magpie ` whether the
399405:term: `Applied Permission ` should impact only the immediate :term: `Resource ` (i.e.: when ``match ``) or should instead
0 commit comments