add support for negative authorizations
Negative authorizations is a way to block an entity; previously the
algorithm was something like (ignoring the config file for now)
Result is_authorized() {
res = has_implicit_auth();
if (res == YES) {
return YES;
} else if (has_explicit_auth()) {
return YES;
}
return res;
}
Now it's
Result is_authorized() {
res = has_implicit_auth();
expl = has_explicit_auth();
is_blocked = has_negative_explicit_auth();
if (is_blocked)
return NO;
if (res == YES) {
return YES;
} else if (has_explicit_auth()) {
return YES;
}
return res;
}
E.g. just a single negative auth will force NO to be returned. I
really, really need to write into the spec how this works; my mental
L1 cache can't contain it anymore. Once it's formally defined we need
to craft a test suite to verify that the code works according to
spec...
12 files changed: