From fa680b24d1123f9de27fc752943e43c86c692314 Mon Sep 17 00:00:00 2001 From: UMTS at Teleco Date: Sun, 15 Feb 2026 15:53:50 +0100 Subject: JAYSON DERULO --- permissions/ownership.md | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 permissions/ownership.md (limited to 'permissions/ownership.md') diff --git a/permissions/ownership.md b/permissions/ownership.md new file mode 100644 index 0000000..a91d196 --- /dev/null +++ b/permissions/ownership.md @@ -0,0 +1,41 @@ +# Ownership Scoping + +[back to permissions](README.md) /// [home](../README.md) + +When you have a get noscoped permission code (`rwo`, `rwg`, `ro`, `rg`) jaysonderulo must automatically restrict which rows you can see and modify. This is done through the `pinned_to` system column. + +## How pinned_to works + +`pinned_to` is a by default auto managed system column that should be added to tables (unless the table opts out). When you insert a row `pinned_to` gets set to your user ID. + +The server should use this column to filter rows based on your permission level: + +### Own scoping (rwo, ro) + +Should add `WHERE table.pinned_to = ` to every query. You can only see and modify rows where `pinned_to` equals your own user ID. + +### Group scoping (rwg, rg) + +Should add a subquery filter that checks if `pinned_to` belongs to any user in the same core group as you. So you can see rows created by anyone in your core group afaik but not by people in other groups. + +## On insert + +When you insert a row: +- `pinned_to` should be automatically set to your user ID +- if you have `rwa` permission you can explicitly set `pinned_to` to someone else (like assigning a row to another user) +- with any other permission code you cant override `pinned_to`, its always you so json derulo can strip for you <3 + +## On update and delete + +The ownership filter should be applied to the WHERE clause so: +- with `rwo` you can only update/delete rows you own +- with `rwg` you can only update/delete rows owned by someone in your group +- with `rw`/`rwa` theres little/no restriction (unless overwritten by advanced type rules) + +## On select and count + +Same deal. The filter should be injected so you only see rows youre allowed to see. Count only counts rows you have access to. + +## Tables without pinned_to + +If a table has opted out of the `pinned_to` system column (via `system_column_overrides`) then ownership scoping cant work on it. So dont give ownership scoped permissions (`rwo`, `rwg`, `ro`, `rg`) to tables that dont have the `pinned_to` column, How the server handles such exceptions is not explecityly rules for JDE v2 so either jsonderulo hangs itself because he cant serve your request or it might just give the permission without `o` or the `g` addition. Will be spanked to be standardized in future jde revisions. \ No newline at end of file -- cgit v1.2.3-70-g09d2