RFC: Forum Permissions

[Adrian Crum <ad...@hlmksw.com>]

Right now the forum feature in Content Manager uses basic CRUD permissions checking - and those 
permissions start with "CONTENTMGR".

If the forum feature is used stand-alone, then granting a user permission to use the forums also 
grants them permission to use the Content Manager component - not a desirable result. I have some 
ideas about forum permissions that I would like to get comments on.

I'd like to change how forum permission checking is handled in two phases. Phase one would be to 
simply change the basic CRUD permission checking to use "FORUM" based permissions: "FORUM_ADMIN" 
"FORUMGROUP_CREATE _UPDATE _DELETE" "FORUMTHREAD_CREATE _UPDATE _DELETE" and so on. This would 
enable the forum feature to be used stand-alone immediately.

Phase two would be to change the permissions checking entirely to make permitted actions more role 
based. There would be forum admins or moderators, forum users would "subscribe" to a forum and be 
given some basic permissions, and admins or moderators could grant subscribers additional 
permissions as they see fit. This phase would make the forums operate more like what you see in 
social networking sites and the like.

Both phases bring up a problem I don't know how to solve. It's the same problem I've run into before 
in other areas of OFBiz - the java code and simple methods that are used have embedded permissions 
checking in them. Even if we do forum-specific permissions checking in the forum component, the 
methods that are called will be doing Content Manager permissions checking. I worked around that 
problem on my local copy by recreating the content manager methods in minilang and removing the 
embedded permissions checking.

So, I need comments/advice/suggestions for phase one, phase two, and how to overcome embedded 
permissions checking in java code and simple methods.

-Adrian

Re: RFC: Forum Permissions

[David E Jones <da...@hotwaxmedia.com>]

The Party/Person and related entities is the only place to store a  
name, email address, and other information that is commonly tracked in  
forums. Also considering that for OFBiz there may be many cases where  
forums are used along with an ecommerce site, employee portal, or  
other such functionality using the standard places to store  
information makes things much easier (ie avoid redundancy, and  
inconsistency the inevitable offspring of redundancy).

Anyway, IMO this is the most natural place to put this information,  
and it fits in the Content security model, so off we go...

-David


On Jan 12, 2009, at 12:21 PM, Adrian Crum wrote:

> I'm bumping this old message because I am working on getting our  
> local forum improvements fed back into the trunk. It's hard to  
> believe it has been more than a year since I started this! Anyways...
>
> I started to make the permission checking changes I proposed in the  
> original email, but I have run into another problem. The OFBiz  
> Content Manager relates party IDs (and their associated roles) to  
> content records. Most public-facing blogs and forums have nothing  
> more than a user login ID. Any additional information (the type  
> found in Party Manager) is usually optional.
>
> So, if a new user (with only a user login ID) subscribes to a forum,  
> should we create a Person automatically - so a forum/blog admin can  
> assign the necessary roles, etc?
>
> -Adrian
>
> Adrian Crum wrote:
>> Right now the forum feature in Content Manager uses basic CRUD  
>> permissions checking - and those permissions start with "CONTENTMGR".
>> If the forum feature is used stand-alone, then granting a user  
>> permission to use the forums also grants them permission to use the  
>> Content Manager component - not a desirable result. I have some  
>> ideas about forum permissions that I would like to get comments on.
>> I'd like to change how forum permission checking is handled in two  
>> phases. Phase one would be to simply change the basic CRUD  
>> permission checking to use "FORUM" based permissions: "FORUM_ADMIN"  
>> "FORUMGROUP_CREATE _UPDATE _DELETE" "FORUMTHREAD_CREATE _UPDATE  
>> _DELETE" and so on. This would enable the forum feature to be used  
>> stand-alone immediately.
>> Phase two would be to change the permissions checking entirely to  
>> make permitted actions more role based. There would be forum admins  
>> or moderators, forum users would "subscribe" to a forum and be  
>> given some basic permissions, and admins or moderators could grant  
>> subscribers additional permissions as they see fit. This phase  
>> would make the forums operate more like what you see in social  
>> networking sites and the like.
>> Both phases bring up a problem I don't know how to solve. It's the  
>> same problem I've run into before in other areas of OFBiz - the  
>> java code and simple methods that are used have embedded  
>> permissions checking in them. Even if we do forum-specific  
>> permissions checking in the forum component, the methods that are  
>> called will be doing Content Manager permissions checking. I worked  
>> around that problem on my local copy by recreating the content  
>> manager methods in minilang and removing the embedded permissions  
>> checking.
>> So, I need comments/advice/suggestions for phase one, phase two,  
>> and how to overcome embedded permissions checking in java code and  
>> simple methods.
>> -Adrian

Re: RFC: Forum Permissions

[Adrian Crum <ad...@hlmksw.com>]

I'm bumping this old message because I am working on getting our local 
forum improvements fed back into the trunk. It's hard to believe it has 
been more than a year since I started this! Anyways...

I started to make the permission checking changes I proposed in the 
original email, but I have run into another problem. The OFBiz Content 
Manager relates party IDs (and their associated roles) to content 
records. Most public-facing blogs and forums have nothing more than a 
user login ID. Any additional information (the type found in Party 
Manager) is usually optional.

So, if a new user (with only a user login ID) subscribes to a forum, 
should we create a Person automatically - so a forum/blog admin can 
assign the necessary roles, etc?

-Adrian

Adrian Crum wrote:
> Right now the forum feature in Content Manager uses basic CRUD 
> permissions checking - and those permissions start with "CONTENTMGR".
> 
> If the forum feature is used stand-alone, then granting a user 
> permission to use the forums also grants them permission to use the 
> Content Manager component - not a desirable result. I have some ideas 
> about forum permissions that I would like to get comments on.
> 
> I'd like to change how forum permission checking is handled in two 
> phases. Phase one would be to simply change the basic CRUD permission 
> checking to use "FORUM" based permissions: "FORUM_ADMIN" 
> "FORUMGROUP_CREATE _UPDATE _DELETE" "FORUMTHREAD_CREATE _UPDATE _DELETE" 
> and so on. This would enable the forum feature to be used stand-alone 
> immediately.
> 
> Phase two would be to change the permissions checking entirely to make 
> permitted actions more role based. There would be forum admins or 
> moderators, forum users would "subscribe" to a forum and be given some 
> basic permissions, and admins or moderators could grant subscribers 
> additional permissions as they see fit. This phase would make the forums 
> operate more like what you see in social networking sites and the like.
> 
> Both phases bring up a problem I don't know how to solve. It's the same 
> problem I've run into before in other areas of OFBiz - the java code and 
> simple methods that are used have embedded permissions checking in them. 
> Even if we do forum-specific permissions checking in the forum 
> component, the methods that are called will be doing Content Manager 
> permissions checking. I worked around that problem on my local copy by 
> recreating the content manager methods in minilang and removing the 
> embedded permissions checking.
> 
> So, I need comments/advice/suggestions for phase one, phase two, and how 
> to overcome embedded permissions checking in java code and simple methods.
> 
> -Adrian
> 
>