On 10/7/05, Lethalman <[EMAIL PROTECTED]> wrote: > Ok we have the following roles (-> means inherit): > user > user.vote_polls -> user > user.all -> user, user.vote_polls > admin -> user.all > admin.view_polls -> admin > admin.edit_polls -> admin.view_polls > admin.del_polls -> admin.view_polls > admin.super -> admin, admin.view_polls, admin.del_polls
The inheritance aspect is interesting, but I don't think I like the mixing up of roles and permissions. Creating a UI that helps ensure that the right thing is done seems like it may be tricky. That said, this does allow for a succinct representation of the permissions. The more "traditional" roles/permissions way is something like: User role has vote_polls permiss Admin role has view_polls Superadmin role has del_polls, edit_polls And then a user would have some combination of those roles. It just seems to me that the traditional way prevents does not do as much permission granting implicitly. Particularly with security, it should be very clear to an administrator what someone is allowed to do and why. Kevin