[geeklog-devel] GSoC - Comments - Edit - Permissions

Michael Jervis mjervis at gmail.com
Thu Jun 5 03:52:31 EDT 2008


Jared and I are discussing permissions to edit comments in Geeklog for
the GSoC work he's doing.

Firstly, I beleive the requirement is for users to be able to edit
their own comments, and for administrators to be able to edit users
comments subject to security permissions.

So, I've said the following:

>> Geeklog uses unix style permissions. Everything with permissions on it
>> has an owner and a group. Then there are permissions for owner, group
>> and anonymous users.
>>
>> A comment should be saved with the owner_id being the id of the user
>> who created it, if authenticated. I don't think we already have one,
>> but a group of comment moderators or something might be needed.
>> Comments would then be saved with perm_owner allowing edits and
>> perm_group allowing edits. Then administrators can be given edit
>> permissions to comments by assigning them the comment moderator group,
>> and users can edit their own comments. Anonymous should just have read
>> permissions of course.

Jared's response:

> Does this mean add these rows to the comment table and save this default
> data each time a comment is submitted?

I think the answer to this is yes, comments will now need to have the
standard permissions columns which will have to be set when a comment
is saved by a user automatically.

> Are there instances where individual
> comment permissions would change?

But, would we want the administrator to be able to change the
permissions mask as they can with stories? So, if a user edits a
comment, a moderator edits a piece out and the user edits it back in,
the administrator can change it such that the user can no longer edit
it? (Perm_owner read only)

And I would assume we'd default existing comments on mature sites to
owner_id of the user who posted the comment, or root if it was
anonymous, and perm_owner to read only as with perm_group and
perm_anon?

> Currently I have something like this this
> with the comment moderator group having rights to the feature 'comment.edit'
> :
>
> if ( $_USER['uid'] == $A['uid'] && $_CONF['comment_edit'] == 1
>      && (time() - $A['nice_date']) < $_CONF['comment_edittime']) {
>     $edit_option = true;
> } else if (SEC_hasRights( 'comment.edit' ) ) {
>     $edit_option = true;
> } else {
>     $edit_option = false;
> }

Having seen this from Jared, I'm half re-canting my earlier comment:

>> Then administrators can be given edit
>> permissions to comments by assigning them the comment moderator group,

I guess the group would actually be the group of the user who posted
the comment (logged in users most likely) and the group permission
would be read only. And Jared is right, Administrators/Moderators
would need the comment.edit permission to edit a users comment, which
would include the editing of the permissions mask to prevent the owner
re-editing the comment (assuming that owner wasn't a comment.edit user
too of course).

Does that make sense and cover all the use-cases people can see? Where
are the obvious glaring gaps I've left in as a deliberate mistake? ;-)

Cheers,

Mike

-- 
Michael Jervis
mjervis at gmail.com
504B03041400000008008F846431E3543A820800000006000000060000007765
62676F642B4F4D4ACF4F0100504B010214001400000008008F846431E3543A82
0800000006000000060000000000000000002000000000000000776562676F64
504B05060000000001000100340000002C0000000000



More information about the geeklog-devel mailing list