THIS IS A DRAFT
This is a summary of a big serie of big emails between a&w (mjlecomte) and grahack. Please add your comments AT THE END of this document, in the discussion section.
Those three topics could have been separated, but they reveal together much more strength.
Secondary Roles
Quick Overview
We want to be able to give several roles to one user. This will enhance flexibility, for those who want fine grained permissions on their site. See NewInheritance for some details on what is not possible now with FAL.
Technical Stuff
With a new config item (say FAL_allow_secondary_roles), the webmaster can enable the new functionnality. When disabled, the behaviour of FAL is as usual, so you'll see that everything is kept for backward compatibility.
Some roles are still configured in the same array, with their values, but are now called primary roles. But when FAL_allow_secondary_roles is enabled, the three main roles are enough in this table, we now play with other config items.
Let's say for the moment (this will have to change for roles on the fly) that the secondary roles are stored in such an array, but with no values (impossible to have a proper inheritance system with one-dimensional values, see this good old page).
Instead of the values, we'll have another config array that will tell: "if this role is allowed, then these are too". Let's call it FAL_roles_and_allowed_too. (please find a better name!!!)
// subjects
$config['FAL_roles_and_allowed_too']['maths_student'] = array('maths_teacher','maths_admin');
$config['FAL_roles_and_allowed_too']['maths_teacher'] = array('maths_admin');
$config['FAL_roles_and_allowed_too']['english_student'] = array('english_teacher','english_admin');
$config['FAL_roles_and_allowed_too']['english_teacher'] = array('english_admin');
// classes
$config['FAL_roles_and_allowed_too']['group1'] = array('group1_admin');
adding for convenience:
- "if 'user' is not a key, all roles are ancestors for a user"
- security check, not processing the 'superadmin' key
IMPORTANT: when enabled, the old role values are not processed!!!
So if you had
'role1' => 15, 'role2' => 20, 'role3' => 26
you now have to use
$config['FAL_roles_and_allowed_too']['role2'] = array('role1');
$config['FAL_roles_and_allowed_too']['role3'] = array('role2');
Last word: roles will be stored in a link table fa_user_roles (id, user_id, role) with a VARCHAR as the role.
Check Process
We'll call list of roles of a user the union of his primary AND secondary roles.
Now if the check($role) function is called, what happens?
- if FAL_allow_secondary_roles is false, do as usual
- else, check if the user has the $role in his (her) list of roles (yes => allow)
- else, check if $role is a key of $config['FAL_roles_and_allowed_too'] (no => deny)
- if it's a key, check if any of the values of the array found is in his (her) list of roles (yes => allow)
- recursion with the two steps above
- else deny.
Console
We just have checkboxes now instead of the dropdown field, or maybe multi-selection-dropdown field.
Console Access
Overview
The console is for now a kind of TECHNICAL RESERVED AREA. People that are allowed here are trustful people, used to deal with computers and the Internet...
What we suggest here, is to allow roles ending with _admin to access it too.
Details
A somerole_admin will only see somerole users and won't have the ability to change their roles, but will be able to edit their custom profile. (superadmin_admin and admin_admin will be ignored).
We keep the same behaviour as usal for superadmins and admins.
We let you imagine the power of this having secondary roles enabled...
Roles on the Fly
Just a place where admins and superadmins (and maybe other roles) will be able to create roles on the fly.
We need a fa_roles table now.
The problem is for managing the inheritance. A big table with checkboxes to mimic the $config['FAL_roles_and_allowed_too'] table.
