back to permissions /// home
When you have a get noscoped permission code (rwo, rwg, ro, rg) jaysonderulo must automatically restrict which rows you can see and modify. This is done through the pinned_to system column.
pinned_to is a by default auto managed system column that should be added to tables (unless the table opts out). When you insert a row pinned_to gets set to your user ID.
The server should use this column to filter rows based on your permission level:
Should add WHERE table.pinned_to = <your_user_id> to every query. You can only see and modify rows where pinned_to equals your own user ID.
Should add a subquery filter that checks if pinned_to belongs to any user in the same core group as you. So you can see rows created by anyone in your core group afaik but not by people in other groups.
When you insert a row:
- pinned_to should be automatically set to your user ID
- if you have rwa permission you can explicitly set pinned_to to someone else (like assigning a row to another user)
- with any other permission code you cant override pinned_to, its always you so json derulo can strip for you <3
The ownership filter should be applied to the WHERE clause so:
- with rwo you can only update/delete rows you own
- with rwg you can only update/delete rows owned by someone in your group
- with rw/rwa theres little/no restriction (unless overwritten by advanced type rules)
Same deal. The filter should be injected so you only see rows youre allowed to see. Count only counts rows you have access to.
If a table has opted out of the pinned_to system column (via system_column_overrides) then ownership scoping cant work on it. So dont give ownership scoped permissions (rwo, rwg, ro, rg) to tables that dont have the pinned_to column, How the server handles such exceptions is not explecityly rules for JDE v2 so either jsonderulo hangs itself because he cant serve your request or it might just give the permission without o or the g addition. Will be spanked to be standardized in future jde revisions.
