RFC: Forum Permissions
Locked
 
|
Right now the forum feature in Content Manager uses basic CRUD permissions checking - and those
permissions start with "CONTENTMGR". If the forum feature is used stand-alone, then granting a user permission to use the forums also grants them permission to use the Content Manager component - not a desirable result. I have some ideas about forum permissions that I would like to get comments on. I'd like to change how forum permission checking is handled in two phases. Phase one would be to simply change the basic CRUD permission checking to use "FORUM" based permissions: "FORUM_ADMIN" "FORUMGROUP_CREATE _UPDATE _DELETE" "FORUMTHREAD_CREATE _UPDATE _DELETE" and so on. This would enable the forum feature to be used stand-alone immediately. Phase two would be to change the permissions checking entirely to make permitted actions more role based. There would be forum admins or moderators, forum users would "subscribe" to a forum and be given some basic permissions, and admins or moderators could grant subscribers additional permissions as they see fit. This phase would make the forums operate more like what you see in social networking sites and the like. Both phases bring up a problem I don't know how to solve. It's the same problem I've run into before in other areas of OFBiz - the java code and simple methods that are used have embedded permissions checking in them. Even if we do forum-specific permissions checking in the forum component, the methods that are called will be doing Content Manager permissions checking. I worked around that problem on my local copy by recreating the content manager methods in minilang and removing the embedded permissions checking. So, I need comments/advice/suggestions for phase one, phase two, and how to overcome embedded permissions checking in java code and simple methods. -Adrian |
|
|
I'm bumping this old message because I am working on getting our local
forum improvements fed back into the trunk. It's hard to believe it has been more than a year since I started this! Anyways... I started to make the permission checking changes I proposed in the original email, but I have run into another problem. The OFBiz Content Manager relates party IDs (and their associated roles) to content records. Most public-facing blogs and forums have nothing more than a user login ID. Any additional information (the type found in Party Manager) is usually optional. So, if a new user (with only a user login ID) subscribes to a forum, should we create a Person automatically - so a forum/blog admin can assign the necessary roles, etc? -Adrian Adrian Crum wrote: > Right now the forum feature in Content Manager uses basic CRUD > permissions checking - and those permissions start with "CONTENTMGR". > > If the forum feature is used stand-alone, then granting a user > permission to use the forums also grants them permission to use the > Content Manager component - not a desirable result. I have some ideas > about forum permissions that I would like to get comments on. > > I'd like to change how forum permission checking is handled in two > phases. Phase one would be to simply change the basic CRUD permission > checking to use "FORUM" based permissions: "FORUM_ADMIN" > "FORUMGROUP_CREATE _UPDATE _DELETE" "FORUMTHREAD_CREATE _UPDATE _DELETE" > and so on. This would enable the forum feature to be used stand-alone > immediately. > > Phase two would be to change the permissions checking entirely to make > permitted actions more role based. There would be forum admins or > moderators, forum users would "subscribe" to a forum and be given some > basic permissions, and admins or moderators could grant subscribers > additional permissions as they see fit. This phase would make the forums > operate more like what you see in social networking sites and the like. > > Both phases bring up a problem I don't know how to solve. It's the same > problem I've run into before in other areas of OFBiz - the java code and > simple methods that are used have embedded permissions checking in them. > Even if we do forum-specific permissions checking in the forum > component, the methods that are called will be doing Content Manager > permissions checking. I worked around that problem on my local copy by > recreating the content manager methods in minilang and removing the > embedded permissions checking. > > So, I need comments/advice/suggestions for phase one, phase two, and how > to overcome embedded permissions checking in java code and simple methods. > > -Adrian > > |
|
|
The Party/Person and related entities is the only place to store a name, email address, and other information that is commonly tracked in forums. Also considering that for OFBiz there may be many cases where forums are used along with an ecommerce site, employee portal, or other such functionality using the standard places to store information makes things much easier (ie avoid redundancy, and inconsistency the inevitable offspring of redundancy). Anyway, IMO this is the most natural place to put this information, and it fits in the Content security model, so off we go... -David On Jan 12, 2009, at 12:21 PM, Adrian Crum wrote: > I'm bumping this old message because I am working on getting our > local forum improvements fed back into the trunk. It's hard to > believe it has been more than a year since I started this! Anyways... > > I started to make the permission checking changes I proposed in the > original email, but I have run into another problem. The OFBiz > Content Manager relates party IDs (and their associated roles) to > content records. Most public-facing blogs and forums have nothing > more than a user login ID. Any additional information (the type > found in Party Manager) is usually optional. > > So, if a new user (with only a user login ID) subscribes to a forum, > should we create a Person automatically - so a forum/blog admin can > assign the necessary roles, etc? > > -Adrian > > Adrian Crum wrote: >> Right now the forum feature in Content Manager uses basic CRUD >> permissions checking - and those permissions start with "CONTENTMGR". >> If the forum feature is used stand-alone, then granting a user >> permission to use the forums also grants them permission to use the >> Content Manager component - not a desirable result. I have some >> ideas about forum permissions that I would like to get comments on. >> I'd like to change how forum permission checking is handled in two >> phases. Phase one would be to simply change the basic CRUD >> permission checking to use "FORUM" based permissions: "FORUM_ADMIN" >> "FORUMGROUP_CREATE _UPDATE _DELETE" "FORUMTHREAD_CREATE _UPDATE >> _DELETE" and so on. This would enable the forum feature to be used >> stand-alone immediately. >> Phase two would be to change the permissions checking entirely to >> make permitted actions more role based. There would be forum admins >> or moderators, forum users would "subscribe" to a forum and be >> given some basic permissions, and admins or moderators could grant >> subscribers additional permissions as they see fit. This phase >> would make the forums operate more like what you see in social >> networking sites and the like. >> Both phases bring up a problem I don't know how to solve. It's the >> same problem I've run into before in other areas of OFBiz - the >> java code and simple methods that are used have embedded >> permissions checking in them. Even if we do forum-specific >> permissions checking in the forum component, the methods that are >> called will be doing Content Manager permissions checking. I worked >> around that problem on my local copy by recreating the content >> manager methods in minilang and removing the embedded permissions >> checking. >> So, I need comments/advice/suggestions for phase one, phase two, >> and how to overcome embedded permissions checking in java code and >> simple methods. >> -Adrian |
«
Return to OFBiz - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |