Node types and access requirements

album          Must have explicit rights
location       Must have explicit rights  
person         Must have explicit rights
file           Should not have explicit rights
logentry       Should not have explicit rights
comment        Should not have explicit rights 
mediamark      Should not have explicit rights
tag            Should not have explicit rights        Special case: readable for all, only type will be checked
group          Should not have explicit rights        Special case: users connected with role[user_admin] will be granted admin rights
user           Should not have explicit rights        Special case: admin rights to own (signed in user)

Creation of new nodes

album          Anyone but the anonymous user allowed
location       Anyone but the anonymous user allowed 
person         Anyone but the anonymous user allowed
file           If admin on parent node (create file links to parent)
logentry       If admin on parent node (create file links to parent)
comment        If admin on parent node (create comment links to user and parent), anonymous not allowed to edit/delete even if creator
mediamark      If admin on parent node and read on "person" node to mark (create mediamark links to file and "person" node)
tag            If admin on parent node (create tag links to parent), do not create new if existing is found
group          Only admin user allowed to create
user           Only admin user allowed to create

Access propagation through links

<node_type_down>_<specific type>

creator        person_creator     (Node up read rights inherited)             Equal relation
father         person_father      (Node up read rights inherited)             Equal relation
mother         person_mother      (Node up read rights inherited)             Equal relation 
partner        person_partner     (Node up read rights inherited)             Equal relation

event          event              (Node up * rights inherited)                Owning relation (up owns down)
birth          event_birth        (Node up * rights inherited)                Owning relation (up owns down) 
death          event_death        (Node up * rights inherited)                Owning relation (up owns down)
engagement     event_engagement   (Node up * rights inherited)                Owning relation (up owns down)
marriage       event_marriage     (Node up * rights inherited)                Owning relation (up owns down)

file           file               (Node up * rights inherited)                Owning relation (up owns down)
profilePicture file_profile       (Node up read rights inherited)             Equal relation

media          *_related          (Node up read rights inherited)             Equal relation

mediamark      mediamark          (Node up * rights inherited)                Owning relation (up owns down)

location       location           (Node up read rights inherited)             Equal relation
home           location_home      (Node up * rights inherited)                Owning relation (up owns down) 

logentry       logentry           (Node up * rights inherited)                Owning relation (up owns down) 

tag            tag                (All tags are readable?)

member         user_member        (Node up * rights inherited)                Owning relation (up owns down)
               user_admin         (Node up * rights inherited)                Owning relation (up owns down) 
           
               comment            (Node up * rights inherited)                Owning relation (up owns down) 

Flow: Create new album, location or person node

1. Check that the current user is NOT the anonymous user => if not move on
2. Create the new node
3. Grant the creating users default group admin rights on the new node

Flow: Create new file or logentry node under a owning node relation role

1. Check if the current user has admin rights on the supplied owning node => if not disallow
2. Create the new node
3. Create a link to the owning node using the supplied relation role

Flow: Create new comment under a owning node relation

1. Check if the current user has read rights on the owning node => if not disallow
2. Create the new node
3. Create a link to the owning node using the supplied relation role
4. If the current user is not the anonymous user create a link, using the supplied relation role, toward the creating user

Flow: Create new mediamark under a file node (owning node) and connect to person/location/etc (item node)

1. Check if the current user has admin rights on the owning node and read rights on the item node => if not disallow
2. Create the new mediamark node
3. Create a link to the owning node using the mediamark role
4. Create a link to the item node using the mediamark role

Flow: Tag a node (owning node)

1. Check if the current user has admin rights on the owning node => if not disallow
2. Check if a tag node with the same name already exists => if not create new tag nod
3. Create a link to the owning node using the tag relation role

Flow: Create group node

1. Check if the current user is the admin user => if not disallow
2. Create the new group node

Flow: Create user node

1. Check if the current user is the admin user => if not disallow
2. Create the new user node

Flow: On read access requested

1. Check explicit read or admin rights on node
2. Fetch all links
3. Group links in Owning relation and Equal relation lists
4. Filter the Owning relation list to only contain links where the remote node is up
5. Check if any of the nodes in the Owning relation group grants read or admin rights => if not move on
6. Check if any of the nodes in the Equal relation list grants read rights => if not disallow
7. Allow access

Flow: On admin access requested

1. Check explicit admin rights on node
2. Fetch all links
3. Filter out Owning relation links
4. Filter the Owning relation list to only contain links where the remote node is up
5. Check if any of the nodes in the Owning relation group grants admin rights => if not disallow
6. Allow access