I'm bumping this old message because I am working on getting our local
forum improvements fed back into the trunk. It's hard to believe it has
been more than a year since I started this! Anyways...
I started to make the permission checking changes I proposed in the
original email, but I have run into another problem. The OFBiz Content
Manager relates party IDs (and their associated roles) to content
records. Most public-facing blogs and forums have nothing more than a
user login ID. Any additional information (the type found in Party
Manager) is usually optional.
So, if a new user (with only a user login ID) subscribes to a forum,
should we create a Person automatically - so a forum/blog admin can
assign the necessary roles, etc?
-Adrian
Adrian Crum wrote:
Right now the forum feature in Content Manager uses basic CRUD
permissions checking - and those permissions start with "CONTENTMGR".
If the forum feature is used stand-alone, then granting a user
permission to use the forums also grants them permission to use the
Content Manager component - not a desirable result. I have some ideas
about forum permissions that I would like to get comments on.
I'd like to change how forum permission checking is handled in two
phases. Phase one would be to simply change the basic CRUD permission
checking to use "FORUM" based permissions: "FORUM_ADMIN"
"FORUMGROUP_CREATE _UPDATE _DELETE" "FORUMTHREAD_CREATE _UPDATE _DELETE"
and so on. This would enable the forum feature to be used stand-alone
immediately.
Phase two would be to change the permissions checking entirely to make
permitted actions more role based. There would be forum admins or
moderators, forum users would "subscribe" to a forum and be given some
basic permissions, and admins or moderators could grant subscribers
additional permissions as they see fit. This phase would make the forums
operate more like what you see in social networking sites and the like.
Both phases bring up a problem I don't know how to solve. It's the same
problem I've run into before in other areas of OFBiz - the java code and
simple methods that are used have embedded permissions checking in them.
Even if we do forum-specific permissions checking in the forum
component, the methods that are called will be doing Content Manager
permissions checking. I worked around that problem on my local copy by
recreating the content manager methods in minilang and removing the
embedded permissions checking.
So, I need comments/advice/suggestions for phase one, phase two, and how
to overcome embedded permissions checking in java code and simple methods.
-Adrian
