[cap-talk] Reducing the authority of a file browser in a capability OS.

Ben Kloosterman bklooste at gmail.com
Wed Dec 30 00:01:29 PST 2009 

>>
 >> While I agree with [David-Sarah] and Alan for UI based designs a few
 >> power boxes of user rights have some advantages ( in terms of minimum
 >> UI prompts, simple from the users point of view, and you can make the
 >> trusted code small ) it works best with a certain class of problem.
 >
 >I don't think anyone claimed that all permissions should be granted via
 >the powerbox UI pattern. Of course a system must support persistent
 >grants.
 >However, the discussion was about whether persistent grants should be
 >used to grant a document-oriented application access to the document
 >files that it is editing/viewing.
 >
 >Remember that we started the thread with you claiming that a
 >wordprocessor would need to be given access to all wordprocessor files,
 >for instance.
 >Do we now agree that this is excess authority?

Yes I agree for documents which can be selected by the user is access authority compared to the user selecting the actual file.


 >
 >>> If in OOP you had to choose the least authority solution and had to
 >>> choose between putting data into private member vars, or instead
 >>> using the manager singleton to store your data, I'm pretty sure you
 >>> would opt for using the private member vars over the manager
 >>> singleton. So either I am making some major mistake in transposing
 >>> the OOP granularity concepts to the relevant level of granularity, or
 >>> you are simply failing to recognize the equivalence.
 >>
 >> This is exactly why I wanted the browser to have just browse rights
 >> and semi persistent processes.
 >
 >No-one has disagreed that the browser should just have browse
 >permissions.
 >The BrowserManager approach gives the browser only browse permissions.
 >It nevertheless has authority to invoke a new instance of an app with
 >read/ write permission to a file that is associated with that app --
 >because that's a necessary part of the browser's least authority.

Ah I see the power box is doing it and the Browser is not the Powerbox it merely communicates the users wishes. 

Regards, 

Ben Kloosterman

More information about the cap-talk mailing list