On Tue, Apr 14, 2009 at 6:09 PM, Jorge G. Mare <koki@xxxxxxxxxxxxx> wrote: > Upon quick inspection, permission settings seemed to have changed from > what they originally used to be; I don't know if this was by accident > (during the D5 upgrade?) or by design, but anyway here are the user > roles and permissions as originally thought out. > > Anonymous user: > > - Access content only > > Authenticated user = Anonymous user plus: > > - Create conference, doc for user, doc for devs, news post and RFCs > (all submissions moderated) > - Edit own content (of above-mentioned types) > - Post comments > > Blogger = Authenticated user plus: > > - Create blog posts > - Edit own blog posts > > Editor = Authenticated user plus: > > - Edit all content types > > Dev = Blogger plus: > > - Create & edit all content types > > Admin = Dev plus: > > - All system notifications (mainly to keep an eye on spam accounts) > > Superadmin (user 1): > > - Full permissions > > So, would adding a Moderator role as an almighty editor to the above > meet your needs? Tiered permissions aren't a terribly great idea, IMO, and tend to "classify" people into different levels of system-wide trust which I think is less open-source-like - I think we should go with "additive" permissions. For example, I had created an Even Admin role which could be assigned to anyone who was to have admin rights over the event/conference content... This will allow people (or small groups of people) to "own" and be responsible for the respective areas of content on the website as they show interest. You could have "Bloggers" and "Blog Admins" for example to separate people who have blogging rights, and people who can moderate/admin blogs - perhaps this level isn't needed, but it makes for a much more modular security system when trying to define who has access to what - by just assigning multiple roles to people, you give them multiple privileges, rather than choosing a single role based on what level of access you want them to have. You would also create for example, a role for "Security Admin" to delete spammers, change certain roles of users, block accounts, etc, without giving them implicity administrative access to configure the website and various modules, etc. As long as you don't go overboard, this can be extremely manageable. ----------------------------------------------------------------------- haiku-web@xxxxxxxxxxxxx - Haiku Web & Developer Support Discussion List