[Typo3-dev] More advanced permissions handling?

Martin Poelstra martin at beryllium.net
Mon Jan 3 13:19:17 CET 2005 

Hi Stig,

For the website of the Technische Universiteit Eindhoven we built a system 
to let non-admin users create new backend-groups (hierarchical) and allow 
them to change permissions on pages they administer, without them being 
'real' admins. We call those users "subadmins".

In our organisation we needed to let the Subadmins decide which Roles 
someone should have. With Roles we then mean things like: "Content Editor", 
or "Calender Editor", or "News Editor", or even "Subadmin".
So, I defined a few groups named e.g. role_content and role_subadmin. Now, 
these groups only give access to view/modify tables and edit certain 
exclude-fields, but they don't define DB- or Filemounts.
I added an extra flag to the groups, which is set for Role-groups, so it's 
hidden in the normal Group-selectors (e.g. when changing the group of a 
page).

We also created a backend-module where a Subadmin sees a tree of his groups, 
and where he can add groups, put users in it and control the DB- and 
Filemounts of the groups.
After every user there's a list of icons, showing the roles of that user: 
the icon is either on, or off, and can be clicked to turn the corresponding 
role off or on for THAT user.

Now, essentially, both role-groups and 'normal'-groups are the same, but we 
chose to make a very clear distinction between them.

Unfortunately we only have Dutch documentation for end-users for it, and no 
other docs, but if you're interested I can send you the docs so you can look 
at some screenshots.
We also patched the current "Edit Page Permissions"-screen, so one can now 
e.g. do things like: turn only the Delete-Page-bit off for all pages below 
this page.

Grtz,
Martin

----- Original Message ----- 
From: "Stig N. Færch" <stig at 8620.dk>
Newsgroups: typo3.dev
To: <typo3-dev at lists.netfielders.de>
Sent: Friday, December 31, 2004 10:59 AM
Subject: Re: [Typo3-dev] More advanced permissions handling?


>> OK, but you could for now just name the groiup "ROLE: ...." and then
>> it would be obvious which you should select.
>>
>> I don't see a big difference. However traditionally people have been
>> begging for user roles. I believe groups=roles, you just have to think
>> of them in that way. (and configure them to act as roles of course)
>
> I agree very much to this. I also think be-groups as being roles.
> But I'm not intirely sure that you understand what I mean.
> When a user has several roles, his permissions are much wider, and to in 
> some situations this user will suddenly have access to things that wasn't 
> intended.
> This for example happens when 1 and 2 are allowed in role A, but only 1 is 
> allowed in role B. In this situaion 2 i suddenly also allowed in role B.
>
> Now if a user could switch between the roles which he is assigned  in a 
> dropdownlist(turning off/disable the roles which are not selected and 
> be-groups which are not roles), we could overcome this problem without 
> changing too much.
> Of course this is only a guess, because I don't understand the complexness 
> of the permissionssystem
>
> /Stig
>
>> On Fri, 2004-12-31 at 08:45, Stig N. Færch wrote:
>>> These were the other suggestions I had:
>>>
>>> /Stig
>>>
>>>>> Yes, it will be far to complicated to implement and one should
>>>>> keep a permission system simple.
>>>>
>>>> Okay, it might be too complex to do this.
>>>> But then I have a couple of ideas which might be easier to
>>>> implement? I would like to hear...:
>>>> ...if you think it's a good idea?
>>>> ...if you think it would contradict some basic designrules of Typo3?
>>>> ...how hard it would be to implement?
>>>> ...if you might implement it sometime?
>>>> ...if not, do you think it would be possible to implement through an
>>>> extension?
>>>>
>>>> The first idea:
>>>> The idea is that when you are logged in, you will be able to choose
>>>> among different user-roles which corresponds to be-usergroups you
>>>> were assigned.
>>>
>>> Comment: it's like switching off those usergroups which are marked as
>>> user-roles AND not selected.
>>>
>>>> For example - you might want to edit news. Then you select the
>>>> news-role and only the be-usergroup for news-editing kicks in.
>>>>
>>>> Or you might want to edit the calendar then you select calendar-role
>>>> and only the be-usergroup for calendar-editing kicks in.
>>>>
>>>> To select a user-role, you could have a dropdown-list in the BE with
>>>> the different user-roles you can switch through, one of which is
>>>> default.
>>>>
>>>>
>>>> Or another idea:
>>>> Similar to the above idea.
>>>> You can mark be-users as being user-roles.
>>>> Then these user-roles could be assigned to be-users,
>>>> who then can switch between these in the BE from a dropdown-list.
>>>>
>>>> The problem might be that it's not the be-user who sets it's mark
>>>> when editing something but the user-role instead. But that might
>>>> also be solvable.
>>>>
>>>> /Stig
>
> _______________________________________________
> Typo3-dev mailing list
> Typo3-dev at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
>

More information about the TYPO3-dev mailing list