Wouldn't it be better if JForum's access control was permission-based instead of restriction-based?
For example, in the Admin control panel / Group permission control, I think it would be far better if you could specify which groups are ALLOWED to see which categories, instead of DENIED. Otherwise, if you crate a new secret category, you have to explicitly deny access for all non-authorized groups/users. And if a new user is created...
If I understand the current wisdom correctly, permission-based security is The Right Thing (tm).
Perhaps JForums design is inherited from phpBB? If so, JForum has the opportunity to become much better if the access control model is changed to permission-based.
The permission schema is not based on phpbb at all. I even don't understand that piece of crap that is the security model of phpbb.
When I started coding the permission stuff, "restriction based" was the best in my opinion, but I have my doubts about this nowadays. However, the current code is working as expected, and was very very very hard to make it work right. Is fucking hard to test all roles, combinations and merges. Changing the code would require a lot of effort and time. I don't have plans to change it so soon..
Rafael [originally posted on jforum.net by Rafael Steil]