[cap-talk] Abstractions that subsume capabilities
Kevin Reid
kpreid at mac.com
Sun Mar 9 13:43:31 EDT 2008
On Mar 9, 2008, at 13:00, Sandro Magi wrote:
> There are other considerations, true. I would want the filesystem root
> to be encapsulated within the monad, thus enabling more modular
> patterns
> ("FileSystem" is a private namespace). I think this is a question of
> modularity as much as access control. I imagine my structure would be
> similar to yours, where the filesystem must be an explicit parameter
> like your World.
I think you're suggesting a dynamically scoped filesystem root. This
is a bad idea because dynamic scope follows control flow rather than
explicit authorization.
Have you seen how E handles file objects? Every directory can serve
as a 'private namespace' -- the true filesystem root is not very much
different (and arguably shouldn't have the differences it does have).
I'll adjust my example a bit to support this properly, which I
overlooked before:
(//) :: FilePath -> String -> FilePath
fsRoot :: World -> FilePath
foo :: FilePath -> IO String
foo dir = readFile (dir // "passwd")
main world = do
s <- foo (fsRoot world // "etc")
...
--
Kevin Reid <http://homepage.mac.com/kpreid/>
More information about the cap-talk
mailing list