Forum OpenACS Q&A: Response to Group bboards

Collapse
11: Response to Group bboards (response to 1)
Posted by Naveen Agnihotri on
Here's an example of how not to implement group scoping of the bboard module.

closedACS 3.2 (the glorious "MIT sucks!" release) comes with this glorious kludge: At the bottom of ad-custom.tcl.postload hides a filter that defines the function bboard_restrict_access_to_group for all URLs of the kind /bboard/*. Within this function, there is some logic of the kind of:


set has_access_p 0

if { $user_id > 0 } {
   .   
   .
   .
   do some stuff to check group_id, and
      if everything is ok, set has_access_p 1
   .
   .
}

if has_access_p is still 1, return filter_ok.

else, give a nasty "you are not allowed in the group that is
allowed to see this bboard" message.

This guarantees two things: First, it guarantees that anyone just clicking through the site without logging in (i.e., with user_id = 0) will not be granted access to any bboards. They will not be taken to a login screen. They will just be rejected.

But perhaps more importantly, this guarantees that the sysadmin trying to figure out why the heck non-registered users cannot see any bboards and looking in the normal places -- the bboard-related tcl library files -- will end up scratching their head: there is nothing there talking about how bboards are being scoped. The documentation doesn't talk about it, and the admin page for user groups doesn't list bboard as among the modules you can associate with any user group.

Nothing like a few minutes of grepping to provide me with a cheap sense of accomplishment!