simon/post-scarcity
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Added an example of using an anonymous executable as an access control.

Simon Brooke 2017-01-09 13:54:03 +00:00
parent c36e2ef227
commit 34d4b94ab5
1 changed files with 14 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
access-control.md

@ -41,7 +41,7 @@ If only compiled code can be executed, then it seems to me that having access to
Thus the default access list is the read access list; every cell has an access list. What do its possible values mean? Thus the default access list is the read access list; every cell has an access list. What do its possible values mean?
1. **T** everyone can read this; 1. **T** everyone can read this;
2. An executable function of two arguments: the current user can read the cell if the function, when passed as arguments the current user and the cell to which access is requested, returns **T**; 2. An executable function of two arguments: the current user can read the cell if the function, when passed as arguments the current user and the cell to which access is requested, returns **T** or a list of names as below, and the user is present on that list;
3. A list of names: true if the value of one of those names is the user object of the current user, or is a group which contains the user object of the current user. 3. A list of names: true if the value of one of those names is the user object of the current user, or is a group which contains the user object of the current user.
If there's anything on the list which isn't a name it's ignored. Any value of the access list which isn't **T**, an executable function, of a list of names is problematic; we either have to treat it as **T** (everyone) or as **NIL** (either no-one or system-only). We should probably flag an error if an attempt is made to create a cell with an invalid access list. Access control list cells also clearly have their own access control lists; there is a potential for very deep recursion and consequently poor performance here, so it will be desirable to keep such access control lists short or just **T**. Obviously, if you can't read an access control list you can't read the cell that it guards. If there's anything on the list which isn't a name it's ignored. Any value of the access list which isn't **T**, an executable function, of a list of names is problematic; we either have to treat it as **T** (everyone) or as **NIL** (either no-one or system-only). We should probably flag an error if an attempt is made to create a cell with an invalid access list. Access control list cells also clearly have their own access control lists; there is a potential for very deep recursion and consequently poor performance here, so it will be desirable to keep such access control lists short or just **T**. Obviously, if you can't read an access control list you can't read the cell that it guards.
@ -103,6 +103,19 @@ Suppose I want to permanently add Anne and Bill to my normal friends:
_Here I'm presuming that **environment** is bound to the value of **system.users.simon.environment**, and that unqualified names are searched for first in my own environment._ _Here I'm presuming that **environment** is bound to the value of **system.users.simon.environment**, and that unqualified names are searched for first in my own environment._
Suppose I want everyone to be able to play a game, but only outside working hours; and for my friends to be able to play it additionally at lunchtime:
(with-open-access-control
(compile
(lambda (user cell)
(let ((time (get-current-time)))
(cond
((< time 09:00) T)
((> time 17:00) T)
((and (> time 12:30)(< time 13:30)) friends)
(T NIL)))))
(rebind! 'system.users.simon.exec.excellent-game (compile excellent-game)))
## Summary ## Summary
Security is hard to do well, and all this requires careful further thought, in part because the proposed post-scarcity environment is so unlike any existing software environment. Security is hard to do well, and all this requires careful further thought, in part because the proposed post-scarcity environment is so unlike any existing software environment.