Hi Wasura, On Tue, Oct 2, 2018 at 12:20 PM Wasura Wattearachchi <[email protected]> wrote:
> > Ok sure. > I have a doubt to be clarified. When editing a comment, we already have a > mechanism to check whether the particular person has the *comment > moderator* role. If so we give permission to update the comment. > But if the user does not have the comment moderator role, we need a > mechanism to check whether the *username* and *entry point* both matches > with the comment that is already in the database and give permission to > him/her to modify the particular comment. > For example, > Assume Peter posts a comment (assume commentId is 1001) using API Store. > But Peter does not have the comment moderator role. So in here, we need to > allow Peter to modify his own comment. We can check USER_IDENTIFIER and > ENTRY_POINT in the comment 1001 retrieved from the database, and if they > match with the current USER_IDENTIFIER and ENTRY_POINT, then we must allow > modifying the comment. (It confirms that Peter is trying to modify the > comment via API Store) > When giving edit rights to the comment, I think we need to check the following. 1. The comment owner should be able to edit his comment. We should not consider the entry point to in this case. IMHO we should use entry point to identify the entry point which we can use to mark the comment user as api-publisher in store. 2. Comment moderator/Admin roles should be able to delete the comments. I think we should avoid editing comments. > > I am looking more into these user roles, and I am trying to distinguish > admin and comment moderator roles separately. I think it is better to have > the comment moderator role separately, so by default admin will not have > that privilege. If someone decides to have a separate person to handle the > comment then he/she can be assigned with the comment moderator role. > > +1 to use a comment moderator separate role if it is possible. Thank you! -- *Pubudu Gunatilaka* Committer and PMC Member - Apache Stratos Senior Software Engineer WSO2, Inc.: http://wso2.com mobile : +94774078049 <%2B94772207163>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
