[bse.git] / site / docs / access.pod

=head1 NAME

access.pod - access control for administration of BSE

=head1 SYNOPSIS

The implementation of access control for BSE.

=head1 DESCRIPTION

The aim is to provide flexible access control, without requiring
micro-management from the administrators.

Since we want to be control a user's access to specific fields
(eg. the template and parent fields), rather than having an admin have
to setup specific access to those fields, we want some sort of "macro"
mechansim to control several things at once.

Some possible access macros could be:

=over

=item *

allow editing body and title of an article

=item *

add an article, with everything fixed, except for title and body

=item *

allow changes to everything but the shop

=item *

allow changes only to the shop

=back

We also need to be able to separately control whole trees, rather than
just specific articles, so it should be possible to refer to "all
descendants of article foo".

Possible article permissions:

=over

=item *

add child

=item *

modify

=item *

modify field I<foo>

=item *

add image

=item *

reorder children

=item *

delete

=item *

delete image

=item *

change image details

=back

=head1 MACRO PERMISSIONS

These would be split into two types of macro permissions, those that
control specific articles, and those that are applied to an article.

Each macro will need to be described in bse.cfg, and the name of the
macro assigned an index so that it can be controlled.

Since most normal permissions aren't going to be directly useful, the
only permissions stored in the system will be macro based permissions.

=head2 Attached macros

These name one or more articles and the permissions can be different
for each article.

=head2 Unattached macros

These supply a set of permissions to some article specified through
the administration interface.

=head1 GROUPS

To make it simpler to control permissions, each user belongs to one of
more groups, each of which only supplied positive permissions.

Whether or not listed in the group, each user is in the "everyone"
group.

=head1 DEFAULT PERMISSIONS

The everyone group, and the administrator user, both have the macro
"Full Access" on all descendants of article -1.


=head1 MACRO STORAGE

To simplify processing we have two sections in the config file:

=over

=item *

[Global permissions] - keeps permissions that have all article
references resolved

=item *

[Article permissions] - permissions which have to reference an article

=back

The [permission ids] section is used to translate permission indexes to
permission ids.

The [permission names] section is used to translate permission indexes
to descriptive permission names.

=cut
Commit	Line	Data
0d5ccc7f TC	1	=head1 NAME
	2
	3	access.pod - access control for administration of BSE
	4
	5	=head1 SYNOPSIS
	6
	7	The implementation of access control for BSE.
	8
	9	=head1 DESCRIPTION
	10
	11	The aim is to provide flexible access control, without requiring
	12	micro-management from the administrators.
	13
	14	Since we want to be control a user's access to specific fields
	15	(eg. the template and parent fields), rather than having an admin have
	16	to setup specific access to those fields, we want some sort of "macro"
	17	mechansim to control several things at once.
	18
	19	Some possible access macros could be:
	20
	21	=over
	22
	23	=item *
	24
	25	allow editing body and title of an article
	26
	27	=item *
	28
	29	add an article, with everything fixed, except for title and body
	30
	31	=item *
	32
	33	allow changes to everything but the shop
	34
	35	=item *
	36
	37	allow changes only to the shop
	38
	39	=back
	40
	41	We also need to be able to separately control whole trees, rather than
	42	just specific articles, so it should be possible to refer to "all
	43	descendants of article foo".
	44
	45	Possible article permissions:
	46
	47	=over
	48
	49	=item *
	50
	51	add child
	52
	53	=item *
	54
	55	modify
	56
	57	=item *
	58
	59	modify field I<foo>
	60
	61	=item *
	62
	63	add image
	64
65	=item *
66
67	reorder children
68
69	=item *
70
71	delete
72
73	=item *
74
75	delete image
76
77	=item *
78
79	change image details
80
81	=back
82
83	=head1 MACRO PERMISSIONS
84
85	These would be split into two types of macro permissions, those that
86	control specific articles, and those that are applied to an article.
87
88	Each macro will need to be described in bse.cfg, and the name of the
89	macro assigned an index so that it can be controlled.
90
caa7299c TC	91	Since most normal permissions aren't going to be directly useful, the
	92	only permissions stored in the system will be macro based permissions.
	93
0d5ccc7f TC	94	=head2 Attached macros
	95
	96	These name one or more articles and the permissions can be different
	97	for each article.
	98
	99	=head2 Unattached macros
	100
	101	These supply a set of permissions to some article specified through
	102	the administration interface.
	103
	104	=head1 GROUPS
	105
	106	To make it simpler to control permissions, each user belongs to one of
	107	more groups, each of which only supplied positive permissions.
	108
	109	Whether or not listed in the group, each user is in the "everyone"
	110	group.
	111
	112	=head1 DEFAULT PERMISSIONS
	113
	114	The everyone group, and the administrator user, both have the macro
	115	"Full Access" on all descendants of article -1.
	116
	117
08123550 TC	118	=head1 MACRO STORAGE
	119
	120	To simplify processing we have two sections in the config file:
	121
	122	=over
	123
	124	=item *
	125
	126	[Global permissions] - keeps permissions that have all article
	127	references resolved
	128
	129	=item *
	130
	131	[Article permissions] - permissions which have to reference an article
	132
	133	=back
	134
	135	The [permission ids] section is used to translate permission indexes to
	136	permission ids.
	137
	138	The [permission names] section is used to translate permission indexes
	139	to descriptive permission names.
	140
	141	=cut
	142