http://ayende.comAyende @ RahienCopyright (C) Ayende Rahien 2004 - 2021 (c) 202660Bunter, This is actually possible. http://ayende.com/3124/authorization-dsl#comment14http://ayende.com/3124/authorization-dsl#comment14Fri, 01 Feb 2008 11:43:28 GMT"if Not FormalDate.CurrentHour between 9 And 17: Deny("Cannot log in outside of business hours, 09:00 - 17:00")" I wish you could write even in more a bit of an "english": if now.not.between 09:00 and 17:00 :) http://ayende.com/3124/authorization-dsl#comment13http://ayende.com/3124/authorization-dsl#comment13Fri, 01 Feb 2008 08:59:12 GMTOh, good point. I am thinking more about the more general approach, specifically with relation to Rhino Security, which uses that approach http://ayende.com/3124/authorization-dsl#comment12http://ayende.com/3124/authorization-dsl#comment12Wed, 30 Jan 2008 21:47:45 GMTOh, I didn't mean a structured string. I meant a structured identifier. No quotes. I used period as delimiter because Boo's syntax allows qualified names as reference expressions, which is good for this scenario. The delimiter itself isn't important, it's the difference between a string literal that "looks" like a structured identifier (but requires parsing) and a qualified name, which *is* a structured identifier. http://ayende.com/3124/authorization-dsl#comment11http://ayende.com/3124/authorization-dsl#comment11Wed, 30 Jan 2008 21:33:42 GMTAvish, Paths are my preferences, they are immediately recognizable. I have no issues, however, with structured strings that uses other delimiters. "account.login" or "order.approve" are just fine. I actually built a system with that convention, it worked nicely. http://ayende.com/3124/authorization-dsl#comment10http://ayende.com/3124/authorization-dsl#comment10Wed, 30 Jan 2008 21:22:23 GMTAyende, qualified names are also meaningful and intrinsically hierarchical without resorting to string parsing. I'm uncomfortable seeing "/account/login", but less so when I see account.login. http://ayende.com/3124/authorization-dsl#comment9http://ayende.com/3124/authorization-dsl#comment9Wed, 30 Jan 2008 21:19:31 GMTThis is actually possible with a patch to Boo :-) Macro operators http://ayende.com/3124/authorization-dsl#comment8http://ayende.com/3124/authorization-dsl#comment8Wed, 30 Jan 2008 19:34:20 GMTAs this should be DSL I would like a approach like if Not FormalDate.CurrentHour between 9 And 17: Deny("Cannot log in outside of business hours, 09:00 - 17:00") http://ayende.com/3124/authorization-dsl#comment7http://ayende.com/3124/authorization-dsl#comment7Wed, 30 Jan 2008 19:28:33 GMTAvish, Yes, that would be much nicer. But I am trying to show a simple DSL, not taking it to the far end. How do you structure operations if they are free text? There is a good reason that I like the path approach, they are very easily recognizable, have meaningful names and intrinsically hierarchical. http://ayende.com/3124/authorization-dsl#comment6http://ayende.com/3124/authorization-dsl#comment6Wed, 30 Jan 2008 17:31:30 GMTI keep having trouble with the operations named like paths or URLs. This sounds logical only if you're developing a web app, and even then it's not always the correct mapping. I'd rather go wilder and do something like: operation login in account Also, for a DSL I think I'd rather do something more like "if user in Managers" over "if Prinicpal.IsInRole("Managers")". http://ayende.com/3124/authorization-dsl#comment5http://ayende.com/3124/authorization-dsl#comment5Wed, 30 Jan 2008 17:11:13 GMTIIRC, ADAM/AzMan has a similar capability using VBScript to validate defined Operations, however it requires Active Directory. http://ayende.com/3124/authorization-dsl#comment4http://ayende.com/3124/authorization-dsl#comment4Wed, 30 Jan 2008 15:13:45 GMTThis is probably a good example of why people are flocking to Ruby, writing a DSL for something like this becomes very easy. http://ayende.com/3124/authorization-dsl#comment3http://ayende.com/3124/authorization-dsl#comment3Wed, 30 Jan 2008 11:01:33 GMTRik, This _is_ normal code. In specific context, using a specific set of scenario. This is supposed to be an example of a technical DSL. What you see is the entire file, and you have whole sets of them. http://ayende.com/3124/authorization-dsl#comment2http://ayende.com/3124/authorization-dsl#comment2Wed, 30 Jan 2008 09:28:31 GMTThis looks like normal code to me... apart from the context setting first line. What makes it a DSL? http://ayende.com/3124/authorization-dsl#comment1http://ayende.com/3124/authorization-dsl#comment1Wed, 30 Jan 2008 09:23:25 GMT