[Typo3-dev] RFC: New access control options

[Kasper Skårhøj]

Hi Folks,

I just finished a few new access control options in TYPO3 which some of
you have been waiting for and requesting for years;

1) You can now limit a user to access/edit records only of a certain
language. (For instance, a user can only edit french content elements)
http://130.228.0.33/t3dl/shot3.png

2) You can now limit a user to select only certain values in any
selectorbox; Here and now that is requested for content element types
and also selection og plugins.
http://130.228.0.33/t3dl/shot2.png


My request for comments is about point 2:

Situation: 
People want to allow editors to create "Text" and "Bulletlist" content
elements etc. Basically all the "non-harmful" types. But they want to
restrict them from creating "Insert Plugin" content elements!
Alternatively they might allow creating "Insert Plugin" type content
elements but then restrict WHICH of the available plugins the user can
select.

Options:
With the new access control options the situation is easy: Any selector
box in TCEforms can now be controlled on a per-value level. For this
there are three modes:
- "explicitAllow" - if this mode is set all values cannot be selected
UNLESS the user has explicitly been allowed to select it. This resembles
how "excludeFields" work. The downside is that if this is used, all
people upgrading TYPO3 to the next version will have to consider for
each user group which contnet elements should be allowed because by
default they will all be non-allowed - hence the upgrade process will
take a lot of time.
- "explicitDeny" - if this mode is set all values can be selected by
default UNLESS the user has explicitly been denied access to it. This
mode makes the upgrade easy because all users will by default be able to
select what they always could select and only if a field is explicitly
denied for the user group (in the access lists) then it cannot be
selected. But on the other hand; Any new content element type installed
by an extension will also be available unless explicitly denied...
- "individual" - while the other two modes regards all values in the
selector box this mode allows us to pick out certain values from a
selector box and control only them. For instance we could define that we
want to specifically control allow/deny access to the "Insert Plugin"
content element type while all other types are always allowed and not
under access restrictions. The good thing is that you don't get the
option of controling access to lots of basic elements like "Text" and
"Bulletlist" which you might always want people to have. On the other
hand this is also a freedom you loose.

So, the question is; What mode should be the default in the next
release? (Notice; Since this is just a question of configuration you can
theoretically always override it for individual installations with an
extension - but still, we should make a good default that everyone
agrees on.).



Another thing;

I introduced two new render modes for selector boxes which means that
when you have a list of values like "ExcludeFields" you do not need to
see two lists where you pick elements in the one which is moved to the
other; You can not just have a single multiple-select list. Anotehr
option is to render each element as checkboxes which also features the
ability to attach small descriptions. I have implemented this new
behaviour for Backend Usergroup configuration where I believe it
enhances usability. THe underlying data format is exactly the same.
Please see thsi screenshot and comment if you have any interventions
before the 3.7.0 release.

http://130.228.0.33/t3dl/shot1.png

(All these changes are in CVS and can be tested by yourself of
course...)





-- 
- kasper

--------
Please notice NEW EMAIL ADDRESS for 2004!! (due to SPAM-contamination)
	
"kasper2004 at typo3.com"