I know we have discussed this before. But I am digging in the
permissions model (as promised) to make some changes to the UI and
some fixes to the underlying operation.
Specifically, in this
post I inserted this snippet from the News module design
documentation:
With the ACS4 permissions model, the news administrator need no longer
coincide with the site administrator. This need only be the case
right after
installation. The News application has a hierarchical set of
permissions which can be assigned to any party as needed. The news
root privilege is news_admin
which comprises
news_create, news_delete,
and
news_read
.
By default, the news_admin
permission inherits from
the site-wide admin. The news_read
permission is
assigned to the public so that all users, including non-registered
users, have access to /news/. By default, the news_create
permission is assigned to registered users. However, they can only
submit a news items, but not approve it. Approval requires
news_admin privilege or can be set to take place automatically by
setting the parameter ApprovalPolicy to 'open'.
The news privileges can be changed in /permissions/ by the
administrator on the /news/admin/index page. The needs of an
individual site, e.g. sharing the news administration duties
among several individuals, are thus covered.
I was re-reading this after we found another bug in the
permissions implementation wrt the news module. If there was no
permission called news_admin
that is to be used to name
a separate admin (from the site admin) for the news stories, how
would this (i.e. sharing the news administration duties
among several individuals) be accomplished?
At our site, we are recruiting and training people to be news
editors and we definitely do not want to give them the permission
called admin
. Now we could give them admin permission
just to the news module instance, but we have found some cases where
this has side-effects also. Maybe this permission should be named
news_editor
.
Any help and/or insight is appreciated.
Regards..
--------------------------------------------------------------
Note: although this is related to the idea of application-scoped
permissions, I still intend to provide (a proposal for) the
scoping function.