Why read permission of destination collection is forced to system.Everyone ? #55
Comments
I don't understand the question: can you rephrase? |
This is because the way the signer works is to sign data that are public and read only to be cached by a CDN. Today we do not have any other usecases but that's something we can change if needed. |
I believe putting this in the configuration and defaulting to If we want to go further, we could have "strategies" for the permission of the destination collection, but I don't think we need this just now. |
@Natim explained me that since we duplicate records in the destination collection, and since we don't want to duplicate permissions, a read permission is set on the parent destination. We could also do nothing and leave that to the user during setup. With the current state of the code, we might to add a warning in the readme :
|
"since we don't want to duplicate permissions" is not completely accurate. We actually don't want anyone to be able to write on the destination collection, but we do want to have people write to the origin collection, so the permission set is different (at least for the OneCRL project). I agree with your proposed solution. I'll state clearly that it's easy to add a configuration option for this. If you need it, please don't hesitate to make a pull request :) |
Add mention about destination collection permissions (ref #55)
/cc @almet @Natim ?
The text was updated successfully, but these errors were encountered: