RFC: Forum Permissions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

RFC: Forum Permissions

Adrian Crum
Right now the forum feature in Content Manager uses basic CRUD permissions checking - and those
permissions start with "CONTENTMGR".

If the forum feature is used stand-alone, then granting a user permission to use the forums also
grants them permission to use the Content Manager component - not a desirable result. I have some
ideas about forum permissions that I would like to get comments on.

I'd like to change how forum permission checking is handled in two phases. Phase one would be to
simply change the basic CRUD permission checking to use "FORUM" based permissions: "FORUM_ADMIN"
"FORUMGROUP_CREATE _UPDATE _DELETE" "FORUMTHREAD_CREATE _UPDATE _DELETE" and so on. This would
enable the forum feature to be used stand-alone immediately.

Phase two would be to change the permissions checking entirely to make permitted actions more role
based. There would be forum admins or moderators, forum users would "subscribe" to a forum and be
given some basic permissions, and admins or moderators could grant subscribers additional
permissions as they see fit. This phase would make the forums operate more like what you see in
social networking sites and the like.

Both phases bring up a problem I don't know how to solve. It's the same problem I've run into before
in other areas of OFBiz - the java code and simple methods that are used have embedded permissions
checking in them. Even if we do forum-specific permissions checking in the forum component, the
methods that are called will be doing Content Manager permissions checking. I worked around that
problem on my local copy by recreating the content manager methods in minilang and removing the
embedded permissions checking.

So, I need comments/advice/suggestions for phase one, phase two, and how to overcome embedded
permissions checking in java code and simple methods.

-Adrian

Reply | Threaded
Open this post in threaded view
|

Re: RFC: Forum Permissions

Adrian Crum
I'm bumping this old message because I am working on getting our local
forum improvements fed back into the trunk. It's hard to believe it has
been more than a year since I started this! Anyways...

I started to make the permission checking changes I proposed in the
original email, but I have run into another problem. The OFBiz Content
Manager relates party IDs (and their associated roles) to content
records. Most public-facing blogs and forums have nothing more than a
user login ID. Any additional information (the type found in Party
Manager) is usually optional.

So, if a new user (with only a user login ID) subscribes to a forum,
should we create a Person automatically - so a forum/blog admin can
assign the necessary roles, etc?

-Adrian

Adrian Crum wrote:

> Right now the forum feature in Content Manager uses basic CRUD
> permissions checking - and those permissions start with "CONTENTMGR".
>
> If the forum feature is used stand-alone, then granting a user
> permission to use the forums also grants them permission to use the
> Content Manager component - not a desirable result. I have some ideas
> about forum permissions that I would like to get comments on.
>
> I'd like to change how forum permission checking is handled in two
> phases. Phase one would be to simply change the basic CRUD permission
> checking to use "FORUM" based permissions: "FORUM_ADMIN"
> "FORUMGROUP_CREATE _UPDATE _DELETE" "FORUMTHREAD_CREATE _UPDATE _DELETE"
> and so on. This would enable the forum feature to be used stand-alone
> immediately.
>
> Phase two would be to change the permissions checking entirely to make
> permitted actions more role based. There would be forum admins or
> moderators, forum users would "subscribe" to a forum and be given some
> basic permissions, and admins or moderators could grant subscribers
> additional permissions as they see fit. This phase would make the forums
> operate more like what you see in social networking sites and the like.
>
> Both phases bring up a problem I don't know how to solve. It's the same
> problem I've run into before in other areas of OFBiz - the java code and
> simple methods that are used have embedded permissions checking in them.
> Even if we do forum-specific permissions checking in the forum
> component, the methods that are called will be doing Content Manager
> permissions checking. I worked around that problem on my local copy by
> recreating the content manager methods in minilang and removing the
> embedded permissions checking.
>
> So, I need comments/advice/suggestions for phase one, phase two, and how
> to overcome embedded permissions checking in java code and simple methods.
>
> -Adrian
>
>
Reply | Threaded
Open this post in threaded view
|

Re: RFC: Forum Permissions

David E Jones-3

The Party/Person and related entities is the only place to store a  
name, email address, and other information that is commonly tracked in  
forums. Also considering that for OFBiz there may be many cases where  
forums are used along with an ecommerce site, employee portal, or  
other such functionality using the standard places to store  
information makes things much easier (ie avoid redundancy, and  
inconsistency the inevitable offspring of redundancy).

Anyway, IMO this is the most natural place to put this information,  
and it fits in the Content security model, so off we go...

-David


On Jan 12, 2009, at 12:21 PM, Adrian Crum wrote:

> I'm bumping this old message because I am working on getting our  
> local forum improvements fed back into the trunk. It's hard to  
> believe it has been more than a year since I started this! Anyways...
>
> I started to make the permission checking changes I proposed in the  
> original email, but I have run into another problem. The OFBiz  
> Content Manager relates party IDs (and their associated roles) to  
> content records. Most public-facing blogs and forums have nothing  
> more than a user login ID. Any additional information (the type  
> found in Party Manager) is usually optional.
>
> So, if a new user (with only a user login ID) subscribes to a forum,  
> should we create a Person automatically - so a forum/blog admin can  
> assign the necessary roles, etc?
>
> -Adrian
>
> Adrian Crum wrote:
>> Right now the forum feature in Content Manager uses basic CRUD  
>> permissions checking - and those permissions start with "CONTENTMGR".
>> If the forum feature is used stand-alone, then granting a user  
>> permission to use the forums also grants them permission to use the  
>> Content Manager component - not a desirable result. I have some  
>> ideas about forum permissions that I would like to get comments on.
>> I'd like to change how forum permission checking is handled in two  
>> phases. Phase one would be to simply change the basic CRUD  
>> permission checking to use "FORUM" based permissions: "FORUM_ADMIN"  
>> "FORUMGROUP_CREATE _UPDATE _DELETE" "FORUMTHREAD_CREATE _UPDATE  
>> _DELETE" and so on. This would enable the forum feature to be used  
>> stand-alone immediately.
>> Phase two would be to change the permissions checking entirely to  
>> make permitted actions more role based. There would be forum admins  
>> or moderators, forum users would "subscribe" to a forum and be  
>> given some basic permissions, and admins or moderators could grant  
>> subscribers additional permissions as they see fit. This phase  
>> would make the forums operate more like what you see in social  
>> networking sites and the like.
>> Both phases bring up a problem I don't know how to solve. It's the  
>> same problem I've run into before in other areas of OFBiz - the  
>> java code and simple methods that are used have embedded  
>> permissions checking in them. Even if we do forum-specific  
>> permissions checking in the forum component, the methods that are  
>> called will be doing Content Manager permissions checking. I worked  
>> around that problem on my local copy by recreating the content  
>> manager methods in minilang and removing the embedded permissions  
>> checking.
>> So, I need comments/advice/suggestions for phase one, phase two,  
>> and how to overcome embedded permissions checking in java code and  
>> simple methods.
>> -Adrian