[cap-talk] Reducing the authority of a file browser in a capability OS.
David-Sarah Hopwood
david-sarah at jacaranda.org
Tue Dec 29 18:56:21 PST 2009
Ben Kloosterman wrote:
>> What I am advocating however is the object private member variable as
>> being the least authority solution, also after transposing it to the
>> relevant level of granularity where apps are the classes, pseudo
>> persistent processes are the objects and file chooser powerboxes are the
>> singletons.
>
> While I agree with [David-Sarah] and Alan for UI based designs a few
> power boxes of user rights have some advantages ( in terms of minimum
> UI prompts, simple from the users point of view, and you can make the
> trusted code small ) it works best with a certain class of problem.
I don't think anyone claimed that all permissions should be granted via
the powerbox UI pattern. Of course a system must support persistent grants.
However, the discussion was about whether persistent grants should be
used to grant a document-oriented application access to the document
files that it is editing/viewing.
Remember that we started the thread with you claiming that a wordprocessor
would need to be given access to all wordprocessor files, for instance.
Do we now agree that this is excess authority?
>> If in OOP you had to choose the least authority solution and had to choose
>> between putting data into private member vars, or instead using the manager
>> singleton to store your data, I'm pretty sure you would opt for using the
>> private member vars over the manager singleton. So either I am making some
>> major mistake in transposing the OOP granularity concepts to the relevant
>> level of granularity, or you are simply failing to recognize the
>> equivalence.
>
> This is exactly why I wanted the browser to have just browse rights and semi
> persistent processes.
No-one has disagreed that the browser should just have browse permissions.
The BrowserManager approach gives the browser only browse permissions. It
nevertheless has authority to invoke a new instance of an app with read/
write permission to a file that is associated with that app -- because
that's a necessary part of the browser's least authority.
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20091230/e01dee4a/attachment.bin
More information about the cap-talk
mailing list