diff --git a/access-control.md b/access-control.md index ee9531f..48e9c82 100644 --- a/access-control.md +++ b/access-control.md @@ -41,7 +41,7 @@ If only compiled code can be executed, then it seems to me that having access to Thus the default access list is the read access list; every cell has an access list. What do its possible values mean? 1. **T** everyone can read this; -2. An executable function of two arguments: the current user can read the cell if the function, when passed as arguments the current user and the cell to which access is requested, returns **T**; +2. An executable function of two arguments: the current user can read the cell if the function, when passed as arguments the current user and the cell to which access is requested, returns **T** or a list of names as below, and the user is present on that list; 3. A list of names: true if the value of one of those names is the user object of the current user, or is a group which contains the user object of the current user. If there's anything on the list which isn't a name it's ignored. Any value of the access list which isn't **T**, an executable function, of a list of names is problematic; we either have to treat it as **T** (everyone) or as **NIL** (either no-one or system-only). We should probably flag an error if an attempt is made to create a cell with an invalid access list. Access control list cells also clearly have their own access control lists; there is a potential for very deep recursion and consequently poor performance here, so it will be desirable to keep such access control lists short or just **T**. Obviously, if you can't read an access control list you can't read the cell that it guards. @@ -103,6 +103,19 @@ Suppose I want to permanently add Anne and Bill to my normal friends: _Here I'm presuming that **environment** is bound to the value of **system.users.simon.environment**, and that unqualified names are searched for first in my own environment._ +Suppose I want everyone to be able to play a game, but only outside working hours; and for my friends to be able to play it additionally at lunchtime: + + (with-open-access-control + (compile + (lambda (user cell) + (let ((time (get-current-time))) + (cond + ((< time 09:00) T) + ((> time 17:00) T) + ((and (> time 12:30)(< time 13:30)) friends) + (T NIL))))) + (rebind! 'system.users.simon.exec.excellent-game (compile excellent-game))) + ## Summary Security is hard to do well, and all this requires careful further thought, in part because the proposed post-scarcity environment is so unlike any existing software environment.