specifying rights

michi, July 9, 2001 at 4:12:37 PM CEST

specifying rights

we already discussed the roles of contributors and users before, but i still think that the current implementations is not flexible enough, and that there will be soon scenarios where it won't be sufficient.

right now there is just a single property ("user may contribute"), but if you take a closer look you can identify the following actions which need to be granted or restricted to users:

accessing a weblog (i.e. reading stories+comments)
writing stories
editing their own stories
deleting their own stories
editing other people's stories
deleting other people's stories
writing comments
editing their own comments
deleting their own comments
editing other people's comments
deleting other people's comments
upload images
remove images

the Admin of a Weblog should always have all those rights, and can also modify the weblog preferences and the skins.

so there are 3 user groups remaining:

contributors
registered users
anonymous users

3 groups times 13 rights = 39 new properties for weblog !?!

looks complicated but should be really eeasy to implement, and is also the "cleanest" solution.

in order to make life easy for weblog-creators there should be a reasonable default setting for all those rights.

comment

michi, July 9, 2001 at 4:17:03 PM CEST

user may signup

by the way: why shouldn't a user be able to sign up to a weblog? if the Admin doesn't want to be bothered by too many signup-emails, she should just skip the link/macro from the header skin. right?

link

robert, July 9, 2001 at 6:03:43 PM CEST

not quite

because if one just removes the link, i just have to guess the url (which is not that difficult) and i could sign up. that's why i added the property "usermaysignup", because then one can definetly disable signup (which means no way to access the signup-action)

link

... comment

robert, July 9, 2001 at 6:38:35 PM CEST

too much

the flag "users may contribute" is just for "opening" the weblog, that means that every registered user automatically becomes a contributor (like in this project-weblog). all other rights are defined in "membership"-objects for each single signed up user, where an admin can choose whether a user should become a contributor or even an admin.

i don't know if i got you right, but i strongly believe that no one (not even admins) should be able to edit the story of another admin/contributor. why? if i read a story from an author, i want to be sure that this story is from this author, and not that the he wrote this story and several others changed it - otherwise the display of the author-name is senseless. also, if i choose to allow contributions by another user, this is a sign of trust (otherwise i wouldn't do it), so there is not any need to change his/her stories. and finally, i strongly believe that owning a weblog or contributing to one has a lot to do with taking responsibility, so there should not be any need for "overruling".

the same with comments: i don't want anybody to be able to edit my comments, the only compromise i made was that admins are allowed to delete comments from other users (because this, as far as i experienced) is - sadly enough - sometimes necessary).

setting up 39 (!) properties (= db-columns) just for security means that admins have to enable/disable them (according to their needs), and this is imho far away from easy (besides that it's not what i would call "nice"). it also opens up a lot of possibilities for "senseless" configurations (i.e. contributors are not allowed to edit their own stories, but registered users are ...) or means that you have to do a lot of checking. and why should one be able to edit own stories, but not to delete them? i don't get the sense of this, but maybe i just got you wrong.

link

michi, July 10, 2001 at 8:49:43 AM CEST

"too much" vs. "too simple"

2^39 possibilities definitely don't make sense, and i know that, but somewhere in between this number and just being able to switch "user may contribute" is the truth.

it's alsways dangerous to predict all possible user cases and therefore admins of weblogs should get maximum of flexibility.

editing other stories might make sense for project, if people try to write some kind of little document together and always make modification on the same piece.

Editing other people comments might make sense in order to "encrypt" bad slang words with "&*%#".

Should users be able to delete their own comments? or upload images? i say no, but there is definitely the need for other options out there.

Antville's strength could be that it surpasses some of the limitations of Blogger and Co.

"Easy" and "nice" implementation in that sense, that the permission check in each hac-file would fetch the current role of the user, and whether this user-role is allowed to perform the action (according to the specific right-setting for this role and for this action).

link

robert, July 10, 2001 at 9:35:01 AM CEST

possible solution?

imho "authorship" is a very important issue, and if i write a story or a comment i take the responsibility for it. that's why i wouldn't like to know that someone else can change the stuff i wrote. (if we allow editing of foreign stories there is another problem coming up: we'll have to lock the story to avoid concurrency conflicts.)

but what about giving the author the possibility to (dis-)allow editing for others? we could simply place a dropdown into story-editor where the creator of the story can define that "admins"/"contributors"/"users"/"just the author" can edit this story. then it's up to the author of the story to decide (default should be "just the author"). still i believe that nobody should be able to edit a user-comment, just deleting should be allowed to admins (and i also think that antville should place a short comment on the page telling everybody that a posting from user x has been deleted).

there is another thing we could do: add a flag for "users may comment" to weblog. if this is true, registered users may add comments, if this is false only members of this weblog are allowed to.

link

... comment

tobi, July 9, 2001 at 6:38:52 PM CEST

rights and wrongs

i can understand the necessity for improved rights management, although i would like to have a reality check with the 39 rights you proposed...

anyway, i imagine that such things that definitely cross the border between the weblog as such and a community communication commodore (giving eggs, wool, milk and pork) have to be opted-in. ie. there have to be switches that enable antville to behave like that. by default it certainly should be in "off" position.

link

... comment

The Antville Server Fund has been a great success. Thanks to everybody who contributed!

online for 8551 Days
last updated: 1/4/11, 10:22 AM

Youre not logged in ... Login

... home
... topics
... galleries

... Home

... Tags

... Galleries

... about antville
... download

... macros.antville.org
... help.antville.org
... translate antville!
... antville home

zfuture's house here is zfuture's
house

by zfuture (7/31/03, 2:59 AM)

i understand your concerns however,
i hardly can think of a solution. certainly, if the...

by tobi (7/29/03, 9:47 AM)

Found several more similar sites
listed This is getting to be quite a concern to...

by cobalt123 (7/27/03, 7:56 PM)

Second Post Alert on Referrer
bug livecatz I put this into "help" and now here:...

by cobalt123 (7/26/03, 7:14 PM)

well it's not easy to
find from here, anyway. think we should include a link,...

by tobi (7/24/03, 11:25 AM)

So finally I found
the helma Bugzilla - stupid me.

by mdornseif (7/24/03, 10:28 AM)

clock not that it's particularly
earthshattering but the antclock is running slow by about 15...

by kohlehydrat (7/23/03, 8:25 PM)

but blogosphere.us isn't can't really
be rated as spam can it?

by kohlehydrat (7/23/03, 8:08 PM)

More referrer spam www.webfrost.com

by Irene (7/23/03, 7:55 PM)

How to log skin names
I accessed to console?? Hi, I would like to know...

by winson (7/23/03, 4:12 PM)

Click here to get an XML version of this weblog.