Monday 11 October 2004 2:26:56 am

We used a file system kind of permission systems in the 2.x series and quickly discovered that it is way to limited for web use. One of the main problems is that users don't understand the permission controls and sets incorrect permissions giving others to many or to few permissions. It is also very hard for site administrators to find out what content is actually available for the site user and what content is not.

The current system allows you more fine grained control over the possiblities for the different users/user groups based on the actions of the modules without giving to much power to the users themselves. That said, an additional, more file system like, permission system could come in handy in some (few) cases.

Tuesday 12 October 2004 2:45:07 am

The permission system indeed has room for improvement. Per object permissions would be nice to have, but it would also be nice to specify "deny" access rules.

All rules in the permission system are of the "allow" type. But if you have users who should be able to do a lot except a few things, you end up with a huge rule list in a role because you can't specify deny rules.

Hans
http://blog.hansmelis.be

Tuesday 26 October 2004 2:48:50 pm

That would be useful for me too.
I want to set user roles by folders, but the only way I could do this was by setting permission for section, but I need more specific role policies. I have n sections on my site, each one's administrated only by one user, I do not want the other users even to READ the other one's content... I can achieve the "create" and "edit" permissions but not "READ" permission, because I just don't get access to the content at all.