Heya!
Quick question regarding SMFG's treatment of permissions RE: groups -
It appears that it treats permissions with a "default allow" philosophy... anything not specifically forbidden is granted.
1) Is this true, and
2) Any plans to change it in the future (to make it consistent with SMF's treatment of permissions), and
3) Any caveats with me changing the permission structure to support "default deny"
It's an obscure issue... but it tends to be huge if any non-trivial group management is to take place.
Case study to demonstrate -
I have a gallery with several categories. Most categories are intended to be viewed by the "ungrouped" users. One category is reserved for viewing by a specific group, and should be hidden from the "ungrouped".
With stock SMF group inheritence, I'd allow "ungrouped" to have access to all categories except the Reserved one. For this one Reserved category, I'd
not specify any rights at all... literally, the "Reserved" permission for the "ungrouped" group would be
unspecified. This equates to the "X" column in SMF's "A X D" permissions manager.
I'd then create a new permissions group that has the right to view this Reserved category. If a user wants access, I'd simply add that group to their "additional groups" setting. (Note that the user's primary group would still be "Ungrouped").
Come time to resolve the various permissions, any right that is not explicitly allowed would be denied. Any right that is explicitly denied... is denied. The only rights to survive are ones that are (1) explicitly allowed somewhere in the user's group hierarchy, AND (2) not denied anywhere in the user's group hierarchy.
With the current gallery permissions scheme, you can guess the amount of legwork and group permutations that are required to create this sample setup, with just one single "restricted" category. Add several such categories, and the group counts increase exponentially with all of the various permutations.
Just guessing on the method you used to check permissions, but it acts as if we...
select all rights for user where cat=thiscat
...and basically, if any of the results are a DENY, we don't allow the action.
And that's the problem! Unspecified rights won't be a DENY... they will be ALLOW. I'd suggest the following, specifically in this order of processing -
select all rights for user where cat=thiscat
hasrights = .false.
if anyresults = "ALLOW", hasrights = .true.
if anyresults = "DENY", hasrights = .false.
if hasrights... allow the action. Else... do not.
Meanwhile, the current "category permissions" page would need to be updated... the permissions cannot be boolean (checkboxes). At present, the category options are exactly, "allow" and "deny", based on the presence of the checkmark. Each permission needs to allow "not specified", as well.
Obviously, it'll have a large impact on group management, making the gallery's permission handling consistent with SMF, and making the gallery more useful for non-trivial applications.
Comments? thoughts? ideas?