Permissions In MV3D

Many objects of all types in MV3D use the permission system. There are two main parts to the system: permissions and identities. Permissions are actions that can be done to the object and identities are way of identifying users. Identities can be either user names or group names. Permissions can be granted or denied, and objects can be configured for allow first or deny first. There are some permissions that exist on all objects. They are: read, reference, delete, and modify. A special permission exists "all" which matches every permission available on the object. In addition, there's a special identity of "all" as well which matches all users.

By default, permissions are deny first. This means that denied permissions are applied first and then allowed permissions. Whatever matches first is the result, so if the object has write:admin denied but write:all allowed, admin would still be denied access. If the object were set up for allow first, then the opposite would be true.

Any class in MV3D can use the permission system by inheriting from mv3d.net.security.Securable. In order to set permissions on the object, you can use grantPermission, revokePermission, denyPermission, and remDeniedPermission. All of these take arguments of "what", and "who". "What" being what permission, and "Who" being the user to allow/deny.