Hi Pubudu, In point 1
- The comment owner should be able to edit his comment. +1 for that. - IMHO, I think it is better if we consider the Entry Point. For example, let's say there are two Peters (username). One is a Publisher and the other one is a Consumer. So if we did not check the entry point, one Peter can edit other Peter's comment without his consent. In order to avoid this, we can check both username (USER_IDENTIFIER) and the entry point (ENTRY_POINT) and give the edit permission. +1 to the idea of comment moderator/admin should only have the ability to delete comments, not to edit the comments. Thanks! On Tue, Oct 2, 2018 at 12:37 PM Pubudu Gunatilaka <[email protected]> wrote: > Hi Wasura, > > On Tue, Oct 2, 2018 at 12:20 PM Wasura Wattearachchi <[email protected]> > wrote: > >> >> Ok sure. >> I have a doubt to be clarified. When editing a comment, we already have a >> mechanism to check whether the particular person has the *comment >> moderator* role. If so we give permission to update the comment. >> But if the user does not have the comment moderator role, we need a >> mechanism to check whether the *username* and *entry point* both matches >> with the comment that is already in the database and give permission to >> him/her to modify the particular comment. >> For example, >> Assume Peter posts a comment (assume commentId is 1001) using API Store. >> But Peter does not have the comment moderator role. So in here, we need to >> allow Peter to modify his own comment. We can check USER_IDENTIFIER and >> ENTRY_POINT in the comment 1001 retrieved from the database, and if they >> match with the current USER_IDENTIFIER and ENTRY_POINT, then we must allow >> modifying the comment. (It confirms that Peter is trying to modify the >> comment via API Store) >> > > When giving edit rights to the comment, I think we need to check the > following. > > 1. The comment owner should be able to edit his comment. We should not > consider the entry point to in this case. IMHO we should use entry point to > identify the entry point which we can use to mark the comment user as > api-publisher in store. > 2. Comment moderator/Admin roles should be able to delete the comments. I > think we should avoid editing comments. > >> >> I am looking more into these user roles, and I am trying to distinguish >> admin and comment moderator roles separately. I think it is better to have >> the comment moderator role separately, so by default admin will not have >> that privilege. If someone decides to have a separate person to handle the >> comment then he/she can be assigned with the comment moderator role. >> >> +1 to use a comment moderator separate role if it is possible. > > Thank you! > -- > *Pubudu Gunatilaka* > Committer and PMC Member - Apache Stratos > Senior Software Engineer > WSO2, Inc.: http://wso2.com > mobile : +94774078049 <%2B94772207163> > > -- Wasura Wattearachchi Software Engineer Intern | WSO2 Email: [email protected] <[email protected]> Mobile: +94775396038 <http://wso2.com/signature>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
