• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Knute Snortum
  • Bear Bibeault
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Piet Souris
  • Ganesh Patekar
Bartenders:
  • Frits Walraven
  • Carey Brown
  • Tim Holloway

Permission-based security

 
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Wouldn't it be better if JForum's access control was permission-based instead of restriction-based?

For example, in the Admin control panel / Group permission control, I think it would be far better if you could specify which groups are ALLOWED to see which categories, instead of DENIED. Otherwise, if you crate a new secret category, you have to explicitly deny access for all non-authorized groups/users. And if a new user is created...

If I understand the current wisdom correctly, permission-based security is The Right Thing (tm).

Perhaps JForums design is inherited from phpBB? If so, JForum has the opportunity to become much better if the access control model is changed to permission-based.

Cheers!
Per

[originally posted on jforum.net by per]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The permission schema is not based on phpbb at all. I even don't understand that piece of crap that is the security model of phpbb.

When I started coding the permission stuff, "restriction based" was the best in my opinion, but I have my doubts about this nowadays. However, the current code is working as expected, and was very very very hard to make it work right. Is fucking hard to test all roles, combinations and merges. Changing the code would require a lot of effort and time. I don't have plans to change it so soon..

Rafael
[originally posted on jforum.net by Rafael Steil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Rafael Steil wrote: When I started coding the permission stuff, "restriction based" was the best in my opinion, but I have my doubts about this nowadays.


Yep, I think that you're right there!

However, the current code is working as expected, and was very very very hard to make it work right. Is fucking hard to test all roles, combinations and merges.


Precisely. I think that's because of the model, and presume that a permission-based model is much easer to implement and get right.

Changing the code would require a lot of effort and time. I don't have plans to change it so soon..


I quite understand! It's a major redesign.

Regards!
Per

[originally posted on jforum.net by per]
 
Consider Paul's rocket mass heater.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!