On 15 Jan, Derek Beattie wrote:
> What is the intended way to set midgard security up so that content users can
> go in and modify content? In a way that limits the user to only the content
> they have access to modify? Basically, so they can't destroy things?
Now, Ron already wrote an answer, but I'll also
try to write a word or two about this...
Between the three major versions of Midgard, there
has been some variation of how access control is
handled.
Midgard 0.x series had some support for access control
lists (ACLs), and so was quite flexible in its permission
system. However, the ACL system was removed to simplify
things for the initial 1.0 public release.
The Midgard 1.x series (which is where we're now) has
a quite basic permission system based on user groups
and ownerships. The permission system only works with
controlling modification of records, and so read-level
access control has to be implemented in the PHP level
(by doing checks against mgd_is_member($GROUP)).
Users are assigned permissions based on what groups
they are members of. First there is the Administrator
(#0) group, which is equivalent of the root user on
Unix systems. Members of this group can do anything
on the system. On a well-managed server, there shouldn't
be need for other personnel besides server admins to be
members of that group, as everything else can be handled
by creating a proper group system.
Then you have the normal groups. Groups can be used
besides access control to also grouping users together
for contact information listings etc. but they also
can be assigned ownerships of various parts of the
Midgard database. Groups can also own other groups,
in which they also gain permission to everything the
child group has permissions for.
Groups can also own styles or hosts, which is
useful if you have developers or designers who
you don't want provide with actual Administrator
permissions on the system. Just create them the
needed root style or host and give the ownership
to their group, and they're all set.
As to content management, groups can be assigned
ownership of any topic, including a toplevel topic.
If a group owns a topic, they also have modification
rights to all child topics of that topic, and all
articles in them. This way, if you assign ownership
of a toplevel topic to a group, they can control
that whole tree.
Besides this group-based access control, there is
also some user-based control. Users can be marked
as authors of a specific page or article, and after
that they gain modification access to that page or
article.
Midgard 2.x will bring the ACL system back, this
time implemented by Emile. This will allow Midgard
developers to have much more fine-grained control
of who can access what content. The Midgard 2 ACL
system is however something that Emile will be
more capable of explaining...
Hopefully this helped with your question. As to
anything besides this, it is possibly to write
quite nice access control logic on the PHP level
using these hooks provided by Midgard's ownership
system (for example, modify the 'delete' operation
in your Admin site to check for membership of a
particular group).
> Derek
/Bergie
--
-- Henri Bergius -- +358 40 525 1334 -- [EMAIL PROTECTED] --
http://www.iki.fi/Henri.Bergius
--
This is The Midgard Project's mailing list. For more information,
please visit the project's web site at http://www.midgard-project.org
To unsubscribe the list, send an empty email message to address
[EMAIL PROTECTED]
