Extending ACL
Posted: Fri Jun 22, 2007 4:28 pm
Hey there,
I need a blog part for a page and of course my first idea was s9y, but there are some key features that may be a bit problematic with ACLs atm.
I wanted to seperate groups a bit more because I need one "group admin" of a usergroup with certain extended permissions and users in the group.
- group1+admin sees only posts in cat1 (ok)
- g1admin creates subcategories for cat1, but not for cat2...x (ok)
- grp1+admin automatically have read/write permissions (minor change to edit categories)
- some minor things like default posting to cat1 if you are in grp1 and not to rootdir (should be easy)
now the difficult part:
- g1admin shall edit posts of grp1 users, but not grp2...x
- same as categories the medialib should be separated completely. ( base/g1/ = grp1, /base/g2/ = grp2)
Apart from that the "users" will have most config options disabled, they can only create entries, edit them, comment, tag, upload files.
The grp-admins can add users to their groups, remove them (choosing from a list pulled from external source) and edit the posts/comments of users in their group (but toggleable)
Is it possible to make that into a plugin or is it maybe even useful for HEAD or am I better off trying to patch the current code?
And yeah, I've already thought about using shared install, but I think that's not the right thing - because for example you can be groupadmin of more blogs and so you'd have a user account on many "spawned installations", quite much overhead
Anyone got some useful hints?
Even: "you overlooked x and y and it's already possible" is fine.
And I deliberately put it into Development and not General because I'll add these features anyway, just thinking about best practice and possibly making it a new feature for s9y if wanted.
I need a blog part for a page and of course my first idea was s9y, but there are some key features that may be a bit problematic with ACLs atm.
I wanted to seperate groups a bit more because I need one "group admin" of a usergroup with certain extended permissions and users in the group.
- group1+admin sees only posts in cat1 (ok)
- g1admin creates subcategories for cat1, but not for cat2...x (ok)
- grp1+admin automatically have read/write permissions (minor change to edit categories)
- some minor things like default posting to cat1 if you are in grp1 and not to rootdir (should be easy)
now the difficult part:
- g1admin shall edit posts of grp1 users, but not grp2...x
these are not fine-grained enough for this
adminEntries: Administrate entries
adminEntriesMaintainOthers: Administrate other user's entries
- same as categories the medialib should be separated completely. ( base/g1/ = grp1, /base/g2/ = grp2)
Again, not fine-grained enoughadminImagesMaintainOthers: Administrate other user's media files
Apart from that the "users" will have most config options disabled, they can only create entries, edit them, comment, tag, upload files.
The grp-admins can add users to their groups, remove them (choosing from a list pulled from external source) and edit the posts/comments of users in their group (but toggleable)
Is it possible to make that into a plugin or is it maybe even useful for HEAD or am I better off trying to patch the current code?
And yeah, I've already thought about using shared install, but I think that's not the right thing - because for example you can be groupadmin of more blogs and so you'd have a user account on many "spawned installations", quite much overhead
Anyone got some useful hints?
Even: "you overlooked x and y and it's already possible" is fine.And I deliberately put it into Development and not General because I'll add these features anyway, just thinking about best practice and possibly making it a new feature for s9y if wanted.