]>
Commit | Line | Data |
---|---|---|
0d5ccc7f TC |
1 | =head1 NAME |
2 | ||
3 | access.pod - access control for administration of BSE | |
4 | ||
5 | =head1 SYNOPSIS | |
6 | ||
7 | The implementation of access control for BSE. | |
8 | ||
9 | =head1 DESCRIPTION | |
10 | ||
11 | The aim is to provide flexible access control, without requiring | |
12 | micro-management from the administrators. | |
13 | ||
14 | Since we want to be control a user's access to specific fields | |
15 | (eg. the template and parent fields), rather than having an admin have | |
16 | to setup specific access to those fields, we want some sort of "macro" | |
17 | mechansim to control several things at once. | |
18 | ||
19 | Some possible access macros could be: | |
20 | ||
21 | =over | |
22 | ||
23 | =item * | |
24 | ||
25 | allow editing body and title of an article | |
26 | ||
27 | =item * | |
28 | ||
29 | add an article, with everything fixed, except for title and body | |
30 | ||
31 | =item * | |
32 | ||
33 | allow changes to everything but the shop | |
34 | ||
35 | =item * | |
36 | ||
37 | allow changes only to the shop | |
38 | ||
39 | =back | |
40 | ||
41 | We also need to be able to separately control whole trees, rather than | |
42 | just specific articles, so it should be possible to refer to "all | |
43 | descendants of article foo". | |
44 | ||
45 | Possible article permissions: | |
46 | ||
47 | =over | |
48 | ||
49 | =item * | |
50 | ||
51 | add child | |
52 | ||
53 | =item * | |
54 | ||
55 | modify | |
56 | ||
57 | =item * | |
58 | ||
59 | modify field I<foo> | |
60 | ||
61 | =item * | |
62 | ||
63 | add image | |
64 | ||
65 | =item * | |
66 | ||
67 | reorder children | |
68 | ||
69 | =item * | |
70 | ||
71 | delete | |
72 | ||
73 | =item * | |
74 | ||
75 | delete image | |
76 | ||
77 | =item * | |
78 | ||
79 | change image details | |
80 | ||
81 | =back | |
82 | ||
83 | =head1 MACRO PERMISSIONS | |
84 | ||
85 | These would be split into two types of macro permissions, those that | |
86 | control specific articles, and those that are applied to an article. | |
87 | ||
88 | Each macro will need to be described in bse.cfg, and the name of the | |
89 | macro assigned an index so that it can be controlled. | |
90 | ||
caa7299c TC |
91 | Since most normal permissions aren't going to be directly useful, the |
92 | only permissions stored in the system will be macro based permissions. | |
93 | ||
0d5ccc7f TC |
94 | =head2 Attached macros |
95 | ||
96 | These name one or more articles and the permissions can be different | |
97 | for each article. | |
98 | ||
99 | =head2 Unattached macros | |
100 | ||
101 | These supply a set of permissions to some article specified through | |
102 | the administration interface. | |
103 | ||
104 | =head1 GROUPS | |
105 | ||
106 | To make it simpler to control permissions, each user belongs to one of | |
107 | more groups, each of which only supplied positive permissions. | |
108 | ||
109 | Whether or not listed in the group, each user is in the "everyone" | |
110 | group. | |
111 | ||
112 | =head1 DEFAULT PERMISSIONS | |
113 | ||
114 | The everyone group, and the administrator user, both have the macro | |
115 | "Full Access" on all descendants of article -1. | |
116 | ||
117 | ||
08123550 TC |
118 | =head1 MACRO STORAGE |
119 | ||
120 | To simplify processing we have two sections in the config file: | |
121 | ||
122 | =over | |
123 | ||
124 | =item * | |
125 | ||
126 | [Global permissions] - keeps permissions that have all article | |
127 | references resolved | |
128 | ||
129 | =item * | |
130 | ||
131 | [Article permissions] - permissions which have to reference an article | |
132 | ||
133 | =back | |
134 | ||
135 | The [permission ids] section is used to translate permission indexes to | |
136 | permission ids. | |
137 | ||
138 | The [permission names] section is used to translate permission indexes | |
139 | to descriptive permission names. | |
140 | ||
141 | =cut | |
142 |