Make backend ACL implementation more flexible
|Reported by:||ewinslow||Owned by:|
|Priority:||normal||Milestone:||Long Term Discussion|
Description (last modified by ewinslow)
The access control system could use a makeover, don't you think?
Right now Elgg supports:
- Logged in
- Custom ACL (whether a group, friends collection, etc.)
What Elgg does not support:
- All my friends and Tom (unions)
- Everyone except Tom (exceptions)
- Friends and friends of friends (extended friends)
I think the easiest way to get this kind of flexibility would be to leverage relationships.
- Track which users and groups of users been given explicit permission and/or have been explicitly denied permission via relationships (as opposed to tracking users that have been implicitly given permission by being a part of a special group -- public, logged in, extended friends, friends).
- Cache the result of the explicit unions/exclusions in a DB table any time these permissions are changed to keep access checks fast.
- Users blocked from seeing a piece of content cannot see it even if they are a member of a group that has explicitly been given permission.
- Users/groups that have been explicitly given permission to view may view even if they are not part of the "base" access collection that was selected (e.g. public, logged in, extended friends, friends, private).
Of course, we'd also have to improve the UI to be capable of reflecting these options.