You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@roller.apache.org by Zac Morris <za...@zacwolf.com> on 2008/03/24 17:07:23 UTC
ACL for viewing individual posts?
Howdy, I've been tasked with some investigation into
implementing blogging within our enterprise. Being that I'm
not a fan of PHP I prefer roller over wordpress, but there is
some momentum building to select Wordpress over roller. The
biggie that keeps getting mentioned is:
1) Wordpress development community more active.
I sort of look at them odd when they say that since roller is
an apache project, and it's hard to think of a more active
development community. So I've decided to try to become active
in the roller development community myself. I'm not at liberty
to say what company I'm with, just yet, so I'm using my
personal information for now.
The reason that I keep coming back to roller is that it is
based on Java and it supports Oracle (our Enterprise dB solution).
I've been looking deeper and deeper into roller, and the one
feature that seems to me to be missing is the concept of
"audience entitlement". Said another way, the ability to post
an entry and then set a "group" that can view that entry
[public, friends, custom, private].
My background is a more "journal" based approach to blogging
(i.e. LiveJournal), and not just using blogging as a "public
publishing system" approach, that I think roller represents?
I'm guessing that the fundamental "approach" (journal vs.
publishing) is one of root use case, so I wanted to ask the
roller development community what the thoughts have been
regarding these two different approaches?
As I see it the "journaling" approach is more about social
networking. Enabling the poster to create dynamic groups that
represent different communities or levels of "trust" regarding
who can see a given post. This seems to be compatible with
personal usage, but in my opinion also seems to mesh well with
an Enterprise usage. I say that because most Enterprises
already have several "public publishing" methods in the form of
traditional websites, news/announcement publishing systems,
and/or collaborative workspaces, so what blogging brings to the
Enterprise is this concept of a single place for a user to
post, that then gives them an easy way to choose the audience
for each of those posts.
Before I dig into the code, I wanted to try to understand if
there was any project "philosophy" regarding these approaches.
THANKS!
-Zac Morris
________________________________________________________________________
Delivered using the Free Personal edition of Mailtraq (www.mailtraq.com)
Re: ACL for viewing individual posts?
Posted by Allen Gilliland <Al...@Sun.COM>.
I don't think there is any defined "philosophy", but generally speaking
this is something that very few people have asked for so it's not solved
for in the code.
The authoring interface does have a notion of groups and roles so you
can limit access to things fairly well, but the rendering and viewing of
weblogs has no notion of access control so you'd have to develop all of
that. Pretty significant amount of work would be needed to do that.
-- Allen
Zac Morris wrote:
> Howdy, I've been tasked with some investigation into
> implementing blogging within our enterprise. Being that I'm
> not a fan of PHP I prefer roller over wordpress, but there is
> some momentum building to select Wordpress over roller. The
> biggie that keeps getting mentioned is:
> 1) Wordpress development community more active.
>
> I sort of look at them odd when they say that since roller is
> an apache project, and it's hard to think of a more active
> development community. So I've decided to try to become active
> in the roller development community myself. I'm not at liberty
> to say what company I'm with, just yet, so I'm using my
> personal information for now.
>
> The reason that I keep coming back to roller is that it is
> based on Java and it supports Oracle (our Enterprise dB solution).
>
> I've been looking deeper and deeper into roller, and the one
> feature that seems to me to be missing is the concept of
> "audience entitlement". Said another way, the ability to post
> an entry and then set a "group" that can view that entry
> [public, friends, custom, private].
>
> My background is a more "journal" based approach to blogging
> (i.e. LiveJournal), and not just using blogging as a "public
> publishing system" approach, that I think roller represents?
>
> I'm guessing that the fundamental "approach" (journal vs.
> publishing) is one of root use case, so I wanted to ask the
> roller development community what the thoughts have been
> regarding these two different approaches?
>
> As I see it the "journaling" approach is more about social
> networking. Enabling the poster to create dynamic groups that
> represent different communities or levels of "trust" regarding
> who can see a given post. This seems to be compatible with
> personal usage, but in my opinion also seems to mesh well with
> an Enterprise usage. I say that because most Enterprises
> already have several "public publishing" methods in the form of
> traditional websites, news/announcement publishing systems,
> and/or collaborative workspaces, so what blogging brings to the
> Enterprise is this concept of a single place for a user to
> post, that then gives them an easy way to choose the audience
> for each of those posts.
>
> Before I dig into the code, I wanted to try to understand if
> there was any project "philosophy" regarding these approaches.
>
> THANKS!
> -Zac Morris
>
>
>
>
>
>
> ________________________________________________________________________
> Delivered using the Free Personal edition of Mailtraq (www.mailtraq.com)
Re: ACL for viewing individual posts?
Posted by Allen Gilliland <Al...@Sun.COM>.
I don't think anyone here would be "diametrically opposed" to the idea,
but after you start to work on the design a bit you may find that the
reality of implementing this may be difficult to get everyone to swallow.
I think the idea is interesting and I would certainly be willing to
listen to more about it. I think one reason why this idea may not have
caught on in Roller (and other blog software?) before is that to make
use of it you really need to take the blog software and incorporate it
into a larger software stack which handles how to manage the community
you are talking about WRT "reader privileges". Roller is focused just
on the publishing aspect right now.
-- Allen
Zac Morris wrote:
>> Just to be absolutely clear, you are interested in setting the
>> permissions per blog entry, not per blog?
>
> Yes, but it would also be possible to set one of the groups as
> "default" thus making all posts readable only by that "group".
>
>
>
>> I don't know how people use this stuff or want to use it but to me it
>> seems like if I was going to go to the trouble of setting up
>> permissions for something I'd assign them to a blog so that would
>> provide a convenient re-use point.
>
> The difference is, like I said in my original post, the
> difference between "blog as single topic publishing engine" vs.
> "blog as multiple topic journal".
>
> The first approach, which roller now seems to be geared
> towards, is where a given blog is matched to a given audience,
> and then posts to that specific blog match a given "topic"
> readable for everyone reading the blog. In this model,
> entitlement is based on "poster" priviledges, and not reader
> priviledges.
>
> The second approach, which LiveJournal is geared towards, is
> where a blog is a personal journal, and you basically set the
> audience for each of your posts [because each post may not
> match a specific "topic"] (i.e. when I post a journal entry that
> contains personal information that I only want a group of
> friends to see).
>
> I have no problem doing the work, but like I said I see this as
> a possible philosophical issue, as it is a paradigm shift of
> how roller could be used, so wanted to know if anyone is
> diametrically opposed.
>
>
>
>
>
>> I had an idea about "hierarchical blog names" sort of like group/
>> subgroup/.../blogname.
>
> Yeah, it has been my experience that only technically minded
> people seem to embrace hiarachical presentation. Let take the
> Windows OS as an example. Since Windows grew out of DOS, the
> hiarachical filesystem is pretty much at the heart of Windows;
> but if you ask the majority of non-technical users to bring up
> "File Manager" they don't have a clue what you're talking
> about. This is why MS is already looking towards a dB/meta-data
> based OS that won't be hiarachical in nature. Personally I
> think that sucks, but I've worked with enough of these
> non-technical users to understand that they just don't "get"
> hiarachical file systems.
>
> Let me say this all another way. Typically blogs are mostly
> matched to a given "topic". Let's say a political blog. An
> individual, or a group of contributors, posts a series of
> entries that match that given topic that is readable by the
> entire "audience".
>
> What I'm talking about is a blog where the contributor IS the
> topic. Since this kind of blog isn't quite so "clear cut" as
> say a political blog, each "post" might need a different
> audience. So instead of having to setup multiple indivdiual
> "blogs" for different "topics", what I'm talking about is a
> journal type approach where I post to a single blog, but then I
> can choose the given audience that post is visible to. Go take
> a look at LiveJournal for exactly what I'm talking about.
>
> THANKS!
> -Zac
>
>
> ________________________________________________________________________
> Delivered using the Free Personal edition of Mailtraq (www.mailtraq.com)
Re: ACL for viewing individual posts?
Posted by Allen Gilliland <Al...@Sun.COM>.
Just so that you guys know ahead of time, setting up the groups & roles
is the easy part. The difficult part starts to come when you have to
make *all* operations in the system enforce those rules and account for
them. This is where you are likely to run into problems making this
work for Roller.
In the case of rendering a blog you have to realize that there become a
huge number of ways in which the contents of that blog need to be
rendered based on its intended audience and their permissions, which
Roller is not equipped to deal with in any way right now. Basically,
every piece of a blog which is potentially made viewable has to be
passed through this system and designed to only return results which are
intended for the given client. So with the rendering system, you would
basically need to rewrite it so that it makes pretty much all decisions
based on who the client is and what permissions they have. That is no
small feat.
Not that I want to discourage you from proceeding to work on this, but
with changes that big you would probably find it easier to start from
scratch.
-- Allen
David Jencks wrote:
>
> On Mar 25, 2008, at 9:40 AM, Zac Morris wrote:
>
>>>
>>> Just to be absolutely clear, you are interested in setting the
>>> permissions per blog entry, not per blog?
>>
>> Yes, but it would also be possible to set one of the groups as
>> "default" thus making all posts readable only by that "group".
>>
>>
>>
>>> I don't know how people use this stuff or want to use it but to me it
>>> seems like if I was going to go to the trouble of setting up
>>> permissions for something I'd assign them to a blog so that would
>>> provide a convenient re-use point.
>>
>> The difference is, like I said in my original post, the
>> difference between "blog as single topic publishing engine" vs.
>> "blog as multiple topic journal".
>>
>> The first approach, which roller now seems to be geared
>> towards, is where a given blog is matched to a given audience,
>> and then posts to that specific blog match a given "topic"
>> readable for everyone reading the blog. In this model,
>> entitlement is based on "poster" priviledges, and not reader
>> priviledges.
>>
>> The second approach, which LiveJournal is geared towards, is
>> where a blog is a personal journal, and you basically set the
>> audience for each of your posts [because each post may not
>> match a specific "topic"] (i.e. when I post a journal entry that
>> contains personal information that I only want a group of
>> friends to see).
>>
>> I have no problem doing the work, but like I said I see this as
>> a possible philosophical issue, as it is a paradigm shift of
>> how roller could be used, so wanted to know if anyone is
>> diametrically opposed.
>>
>>
>>
>>
>>
>>>
>>> I had an idea about "hierarchical blog names" sort of like group/
>>> subgroup/.../blogname.
>>
>> Yeah, it has been my experience that only technically minded
>> people seem to embrace hiarachical presentation. Let take the
>> Windows OS as an example. Since Windows grew out of DOS, the
>> hiarachical filesystem is pretty much at the heart of Windows;
>> but if you ask the majority of non-technical users to bring up
>> "File Manager" they don't have a clue what you're talking
>> about. This is why MS is already looking towards a dB/meta-data
>> based OS that won't be hiarachical in nature. Personally I
>> think that sucks, but I've worked with enough of these
>> non-technical users to understand that they just don't "get"
>> hiarachical file systems.
>>
>> Let me say this all another way. Typically blogs are mostly
>> matched to a given "topic". Let's say a political blog. An
>> individual, or a group of contributors, posts a series of
>> entries that match that given topic that is readable by the
>> entire "audience".
>>
>> What I'm talking about is a blog where the contributor IS the
>> topic. Since this kind of blog isn't quite so "clear cut" as
>> say a political blog, each "post" might need a different
>> audience. So instead of having to setup multiple indivdiual
>> "blogs" for different "topics", what I'm talking about is a
>> journal type approach where I post to a single blog, but then I
>> can choose the given audience that post is visible to. Go take
>> a look at LiveJournal for exactly what I'm talking about.
>
> Ok, I did :-) I think I understand what you want to do.
>
> As Alan says the infrastructure for representing groups of people per
> user is missing. You could implement this pretty easily using the RBAC
> system I have in my head :-)
>
> The basic idea behind RBAC (role based access control) is that you have
> users you can identify, permissions to do stuff (in this case do
> something to a blog or (for your idea) blog entry), and roles (basically
> abstract names). Then you have user-role associations and
> role-permission associations (you can also have role hierarchies,
> role-role associations, but they aren't necessary for this). A user
> gets a permission through a user-role association and then
> role-permission association.
>
> Here, to use the LiveJournal wording, each user gets to set up a role
> for their friends and a role for each custom friend group. Then for
> instance to make something visible to a particular custom friends group
> you'd assign the view permission for that something to the custom
> friends group you have in mind.
>
> While it might seem a little odd to use roles for this -- often people
> think of roles as more static, set up by administrators, fewer in
> number, etc -- this parallels the implementation of discretionary access
> control using rbac. I like rbac because it provides a fairly clear
> framework for thinking about authorization and lets you implement a very
> wide variety of policies using the same basic system. For instance you
> can implement both this -- the extreme of user-based permission
> management -- and a completely administrator-administered access system
> using the same framework.
>
> I have a couple ideas on how to implement the permissions also which I
> can go into if you want.
>
> thanks
> david jencks
>
>
>>
>> THANKS!
>> -Zac
>>
>>
>> ________________________________________________________________________
>> Delivered using the Free Personal edition of Mailtraq (www.mailtraq.com)
>
Re: ACL for viewing individual posts?
Posted by David Jencks <da...@yahoo.com>.
On Mar 25, 2008, at 9:40 AM, Zac Morris wrote:
>>
>> Just to be absolutely clear, you are interested in setting the
>> permissions per blog entry, not per blog?
>
> Yes, but it would also be possible to set one of the groups as
> "default" thus making all posts readable only by that "group".
>
>
>
>> I don't know how people use this stuff or want to use it but to me it
>> seems like if I was going to go to the trouble of setting up
>> permissions for something I'd assign them to a blog so that would
>> provide a convenient re-use point.
>
> The difference is, like I said in my original post, the
> difference between "blog as single topic publishing engine" vs.
> "blog as multiple topic journal".
>
> The first approach, which roller now seems to be geared
> towards, is where a given blog is matched to a given audience,
> and then posts to that specific blog match a given "topic"
> readable for everyone reading the blog. In this model,
> entitlement is based on "poster" priviledges, and not reader
> priviledges.
>
> The second approach, which LiveJournal is geared towards, is
> where a blog is a personal journal, and you basically set the
> audience for each of your posts [because each post may not
> match a specific "topic"] (i.e. when I post a journal entry that
> contains personal information that I only want a group of
> friends to see).
>
> I have no problem doing the work, but like I said I see this as
> a possible philosophical issue, as it is a paradigm shift of
> how roller could be used, so wanted to know if anyone is
> diametrically opposed.
>
>
>
>
>
>>
>> I had an idea about "hierarchical blog names" sort of like group/
>> subgroup/.../blogname.
>
> Yeah, it has been my experience that only technically minded
> people seem to embrace hiarachical presentation. Let take the
> Windows OS as an example. Since Windows grew out of DOS, the
> hiarachical filesystem is pretty much at the heart of Windows;
> but if you ask the majority of non-technical users to bring up
> "File Manager" they don't have a clue what you're talking
> about. This is why MS is already looking towards a dB/meta-data
> based OS that won't be hiarachical in nature. Personally I
> think that sucks, but I've worked with enough of these
> non-technical users to understand that they just don't "get"
> hiarachical file systems.
>
> Let me say this all another way. Typically blogs are mostly
> matched to a given "topic". Let's say a political blog. An
> individual, or a group of contributors, posts a series of
> entries that match that given topic that is readable by the
> entire "audience".
>
> What I'm talking about is a blog where the contributor IS the
> topic. Since this kind of blog isn't quite so "clear cut" as
> say a political blog, each "post" might need a different
> audience. So instead of having to setup multiple indivdiual
> "blogs" for different "topics", what I'm talking about is a
> journal type approach where I post to a single blog, but then I
> can choose the given audience that post is visible to. Go take
> a look at LiveJournal for exactly what I'm talking about.
Ok, I did :-) I think I understand what you want to do.
As Alan says the infrastructure for representing groups of people per
user is missing. You could implement this pretty easily using the
RBAC system I have in my head :-)
The basic idea behind RBAC (role based access control) is that you
have users you can identify, permissions to do stuff (in this case do
something to a blog or (for your idea) blog entry), and roles
(basically abstract names). Then you have user-role associations and
role-permission associations (you can also have role hierarchies,
role-role associations, but they aren't necessary for this). A user
gets a permission through a user-role association and then role-
permission association.
Here, to use the LiveJournal wording, each user gets to set up a role
for their friends and a role for each custom friend group. Then for
instance to make something visible to a particular custom friends
group you'd assign the view permission for that something to the
custom friends group you have in mind.
While it might seem a little odd to use roles for this -- often
people think of roles as more static, set up by administrators, fewer
in number, etc -- this parallels the implementation of discretionary
access control using rbac. I like rbac because it provides a fairly
clear framework for thinking about authorization and lets you
implement a very wide variety of policies using the same basic
system. For instance you can implement both this -- the extreme of
user-based permission management -- and a completely administrator-
administered access system using the same framework.
I have a couple ideas on how to implement the permissions also which
I can go into if you want.
thanks
david jencks
>
> THANKS!
> -Zac
>
>
> ______________________________________________________________________
> __
> Delivered using the Free Personal edition of Mailtraq
> (www.mailtraq.com)
Re: ACL for viewing individual posts?
Posted by Zac Morris <za...@zacwolf.com>.
>
> Just to be absolutely clear, you are interested in setting the
> permissions per blog entry, not per blog?
Yes, but it would also be possible to set one of the groups as
"default" thus making all posts readable only by that "group".
> I don't know how people use this stuff or want to use it but to me it
> seems like if I was going to go to the trouble of setting up
> permissions for something I'd assign them to a blog so that would
> provide a convenient re-use point.
The difference is, like I said in my original post, the
difference between "blog as single topic publishing engine" vs.
"blog as multiple topic journal".
The first approach, which roller now seems to be geared
towards, is where a given blog is matched to a given audience,
and then posts to that specific blog match a given "topic"
readable for everyone reading the blog. In this model,
entitlement is based on "poster" priviledges, and not reader
priviledges.
The second approach, which LiveJournal is geared towards, is
where a blog is a personal journal, and you basically set the
audience for each of your posts [because each post may not
match a specific "topic"] (i.e. when I post a journal entry that
contains personal information that I only want a group of
friends to see).
I have no problem doing the work, but like I said I see this as
a possible philosophical issue, as it is a paradigm shift of
how roller could be used, so wanted to know if anyone is
diametrically opposed.
>
> I had an idea about "hierarchical blog names" sort of like group/
> subgroup/.../blogname.
Yeah, it has been my experience that only technically minded
people seem to embrace hiarachical presentation. Let take the
Windows OS as an example. Since Windows grew out of DOS, the
hiarachical filesystem is pretty much at the heart of Windows;
but if you ask the majority of non-technical users to bring up
"File Manager" they don't have a clue what you're talking
about. This is why MS is already looking towards a dB/meta-data
based OS that won't be hiarachical in nature. Personally I
think that sucks, but I've worked with enough of these
non-technical users to understand that they just don't "get"
hiarachical file systems.
Let me say this all another way. Typically blogs are mostly
matched to a given "topic". Let's say a political blog. An
individual, or a group of contributors, posts a series of
entries that match that given topic that is readable by the
entire "audience".
What I'm talking about is a blog where the contributor IS the
topic. Since this kind of blog isn't quite so "clear cut" as
say a political blog, each "post" might need a different
audience. So instead of having to setup multiple indivdiual
"blogs" for different "topics", what I'm talking about is a
journal type approach where I post to a single blog, but then I
can choose the given audience that post is visible to. Go take
a look at LiveJournal for exactly what I'm talking about.
THANKS!
-Zac
________________________________________________________________________
Delivered using the Free Personal edition of Mailtraq (www.mailtraq.com)
Re: ACL for viewing individual posts?
Posted by David Jencks <da...@yahoo.com>.
Just to be absolutely clear, you are interested in setting the
permissions per blog entry, not per blog?
I don't know how people use this stuff or want to use it but to me it
seems like if I was going to go to the trouble of setting up
permissions for something I'd assign them to a blog so that would
provide a convenient re-use point.
I had an idea about "hierarchical blog names" sort of like group/
subgroup/.../blogname. From my naive perspective of not knowing what
you want to do it seems to me as if this, together with assigning
view permissions to blogs, provides a convenient way to group "your"
blogs and assign permissions to specific sets of entries. On the
other hand this might be a solution in search of a problem.
thanks
david jencks
On Mar 24, 2008, at 9:07 AM, Zac Morris wrote:
> Howdy, I've been tasked with some investigation into
> implementing blogging within our enterprise. Being that I'm
> not a fan of PHP I prefer roller over wordpress, but there is
> some momentum building to select Wordpress over roller. The
> biggie that keeps getting mentioned is:
> 1) Wordpress development community more active.
>
> I sort of look at them odd when they say that since roller is
> an apache project, and it's hard to think of a more active
> development community. So I've decided to try to become active
> in the roller development community myself. I'm not at liberty
> to say what company I'm with, just yet, so I'm using my
> personal information for now.
>
> The reason that I keep coming back to roller is that it is
> based on Java and it supports Oracle (our Enterprise dB solution).
>
> I've been looking deeper and deeper into roller, and the one
> feature that seems to me to be missing is the concept of
> "audience entitlement". Said another way, the ability to post
> an entry and then set a "group" that can view that entry
> [public, friends, custom, private].
>
> My background is a more "journal" based approach to blogging
> (i.e. LiveJournal), and not just using blogging as a "public
> publishing system" approach, that I think roller represents?
>
> I'm guessing that the fundamental "approach" (journal vs.
> publishing) is one of root use case, so I wanted to ask the
> roller development community what the thoughts have been
> regarding these two different approaches?
>
> As I see it the "journaling" approach is more about social
> networking. Enabling the poster to create dynamic groups that
> represent different communities or levels of "trust" regarding
> who can see a given post. This seems to be compatible with
> personal usage, but in my opinion also seems to mesh well with
> an Enterprise usage. I say that because most Enterprises
> already have several "public publishing" methods in the form of
> traditional websites, news/announcement publishing systems,
> and/or collaborative workspaces, so what blogging brings to the
> Enterprise is this concept of a single place for a user to
> post, that then gives them an easy way to choose the audience
> for each of those posts.
>
> Before I dig into the code, I wanted to try to understand if
> there was any project "philosophy" regarding these approaches.
>
> THANKS!
> -Zac Morris
>
>
>
>
>
>
> ______________________________________________________________________
> __
> Delivered using the Free Personal edition of Mailtraq
> (www.mailtraq.com)