Page last modified 16:25, 24 Sep 2008 by MaxM
New Operations
Table of contents
- 1. USERADMIN
- 2. CONTENTADMIN
- 3. SERVICEADMIN
- 4. STYLEADMIN
- 5. COMMENT
The following is a discussion of new permission operations that could go into Lyons. The overall theme is to segment out the currently all-encompassing ADMIN role to allow delegation of specific administrative duties such as modifying the look and feel, performing content moderation, performing user/group maintenance, and managing services/extensions.
USERADMIN
Perform user management tasks such as adding/removing users and groups.
- can it change roles of a user? Yes.
- Then the user can escalate self to have ADMIN OR xADMIN -> Bad.
- Fix1: changing user/group to role with xADMIN requires changer to have role with ADMIN
- Fix2: changing user/group to role requires changer to have all operations in proposed role
- Then the user can escalate self to have ADMIN OR xADMIN -> Bad.
- Bans (get/post/delete) ? -> Maybe
- Reset passwords -> sure
- Move homepage of user (required for user rename) -> Probably
CONTENTADMIN
Content moderation duties that allows full access to all data in the wiki.
- delete/edit other peoples comments? Yes.
- comment edit/delete should be possible if it's your comment or you're contentadmin
- Bans (get/post/delete) ? -> Probably
- View/Restore files and pages -> Yeah
- Move homepage of user (required for user rename) -> Maybe
- Current restrictions filter out the contentadmin (restrictions should have been explicit rights removed rather than rights maintained).
- Fix: Having contentadmin bypasses restrictions in CalculateEffectivePageRights the same way as having admin currently bypasses it
- Option1: having contentadmin implicitly gives you BROWSE | READ | SUBSCRIBE | UPDATE | CREATE | DELETE | CHANGEPERMISSIONS regardless of restriction without them being required. A role can then simply be LOGIN | CONTENTADMIN
- PermissionBL.IsActionAllowed is modified to treat contentadmin as a wildcard allowing the above preset array of operations to be allowed
- Option2: having contentadmin gives you the above operation regardless of restriction only if you have those operations as a result of user/group grants. A role would then have to be LOGIN | (various page operations) | CONTENTADMIN
- No changes needed to PermissionBL.IsActionAllowed. Restriction is simply not applied but right calculations are still performed. contentadmin is not treated as a wildcard as with admin
- Option1: having contentadmin implicitly gives you BROWSE | READ | SUBSCRIBE | UPDATE | CREATE | DELETE | CHANGEPERMISSIONS regardless of restriction without them being required. A role can then simply be LOGIN | CONTENTADMIN
- Fix: Having contentadmin bypasses restrictions in CalculateEffectivePageRights the same way as having admin currently bypasses it
SERVICEADMIN
Manage current extensions and services
- CRUD and stop/restart services
STYLEADMIN
Manage the look and feel of the wiki
- Need to create a whitelist of config keys that are allowed to be modified by styleadmin. Other modifications require admin?
COMMENT
A page-oriented flag allowing a user to post comments
- Tag page
- What links here
| Images 0 | ||
|---|---|---|
| No images to display in the gallery. |
You must login to post a comment.
Copyright © 2011 MindTouch, Inc. Powered by