[owasp-intrinsic-security] Fwd: Introducing ABE (with almostdefinitive syntax specs)
bil at corry.biz
Sun Dec 21 10:29:03 EST 2008
Giorgio Maone wrote on 12/21/2008 7:42 AM:
> IMO, the priority hierarchy User > Site > Community should work fine enough,
> if an UI for conflict resolution like the one I suggested in my previous
> message is provided.
Yes, in cases where the user rules are more restrictive than the site or community rules. Now I'm flipping the example around. Imagine the user/site allows an action that is determined to be unsafe (there's a security hole). So the community rule is updated to prevent the hole. Now the community rule is more restrictive, but the user/site rules allow it. How does that get managed by the UI? I'm going off the assumption that most people will never manually code the rules, but rather will rely on the auto-learn, site and community rule sets instead.
More information about the owasp-intrinsic-security