Development Discussion Board

[Comkid]

How will the permissions be set up for phpBB4? I also suggest making a Module in the ACP to add permissions and modify MODX to include the permissions required and their value.

[naderman]

The idea of this forum is to discuss and make decisions on phpBB4's core design together. It's not a "you ask, we tell" kind of idea Decisions still need to be made, so I honestly can't tell you what permissions are going to work like at all.

[code reader]

let me try my hand at outlining how permission system should work. like anything else, *these are my views and i do not see them as some god-given truth*.
-- there are 5 permission states:
"never", "no", "undefined" (or "default"), "yes" and "always".
"never" trumps everything, "always" trumps "no", and "no" trumps "yes"

-- as far as permissions are concerned, there are no users or forums, only user groups and forum groups.
-- if you want to give special permissions to a specific user or forum, you have to create a group for them.
-- each forum belongs to a single forum group, and each user belongs to *one or more* user groups.
-- there is a "base user group" and "base forum group". no user belongs to base (except, maybe anonymous) and no forum belongs to base.
-- each user group and each forum group (except the base groups) inherits from another group. care should be taken to avoid circular reference
-- when computing group permissions, you climb the inheritance chain, until you hit something other than default.
-- when computing a user permissions, you consider all the groups this user is a member of, and calculate the permission based on the "trumping rules"
-- in addition to "users groups" and "forum groups", there is a "user group/forum group" sparse matrix. typically, most or all of the cells on this matrix are unpopulated (i.e., most individual permissions in most of the cells are "undefined" or "default") , but when any is, it trumps both the user group permission and the forum group permission for this user group/forum group combination

the permissions UI is one of the parts of phpbb3 that needs to be thrown away without a second look, and a completely new UI should be designed.

peace.

[naderman]

Without getting into too much detail right now - I'll post here again at a later point also replying to you, code reader - I think we should decouple permissions from the forum concept and rather deal with arbitrary permission domains. These could be forums, pages, topics, posts or whatever. This would however require that we can deal with multiple domains.

We might also want to think about a concept of hierarchy in these domains so we can implement inherited permissions properly. On the other hand this might be unecessary if the grouping of objects is done right in the UI.

[code reader]

seems reasonable.
if you replace in my rant "forum group" with "domain", i think you'll be pretty much where you point.

i skipped the more detailed issues, e.g. of having "super-users" where permissions do not apply at all, or designating users as "group leaders" who can execute specific actions on specific user group without being subjected to the constraints of the group etc.

peace.

[Dog Cow]

I think we should decouple permissions from the forum concept and rather deal with arbitrary permission domains. These could be forums, pages, topics, posts or whatever.

Since my site has much more permissions-controlled areas than just the forums, I wrote my own permissions system a year ago. It got rid of the system I hated, groups, and replaced it with roles.

How it works is that each major area of the site which has access permissions is called a zone. Right now, I have 7 or so zones: forums, newsstand, gallery, knowledge base, auditorium, and so on.

Each zone has its own set of permissions. So for the forums, there's auth_post, auth_reply, auth_vote and so on. Pretty standard. Within each zone, sub-zones can be defined to give permissions for only a particular forum, category, or section. If the sub-zone is set to 0, then that means that all sections are affected, or in other words, global permissions.

Sets of Yes/No settings for each zone are grouped into Roles, just like in phpBB 3's auth system. For forums, I have two roles: Moderator, and Private Access. Moderator role allows the user mod privileges, while Private Access allows the user to access a forum marked as hidden/private.

The final step is to apply these roles to a user. I can either give the user a role in certain sub-zones, or I can give the user global permissions. I can also check to see which users have been assigned what roles, and vice-versa.

Now, obviously, this system was just designed for my own personal use on my site, and as such may not be general enough for everyone, but that's just a basic description of how it works. I'm quite satisfied with it!

[code reader]

let me try:

a "permission" is basically an answer to the question: "is this action allowed"

i will keep naderman terminology of "domain".

so, if i understand you correctly, your "zones" are "domain types".

a "domain type" defines a set of actions possible in domains of this type.

so each domain has the following attributes:
-- name
-- type
-- parent, which, by definition is another domain of the same type
-- permissions: per each of the actions listed in this "type", one of the 5 permission values
-- permission usergroup matrix: typically empty or sparse matrix that define "special casing" of the permissions for specific user groups


whenever a specific permission is undefined, we climb the inheritance chain until we find a definition.
we repeat the same chain for the user groups this user belongs to, and use the trumping rules to eventually arrive at the conclusion whether or not user X can execute operation Y in domain Z.

makes sense?
if we can agree on this logic, writing a simple and clear code that implements it should not be too hard a task.

peace.

[Sam]

With permissions, I would like to see User permissions, Group permissions, and Forum permissions removed, and use only roles. It is so much cleaner to simply edit the role. I also believe it will help to limit confusion, as now there are 3 different ways to assign permissions: roles, per user, and per group. This will make the permissions for the entire board more consistent and easier to troubleshoot should someone have some trouble with setting the permissions.