roller-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: ACL for viewing individual posts?
Date Tue, 25 Mar 2008 17:26:11 GMT

On Mar 25, 2008, at 9:40 AM, Zac Morris wrote:

>> Just to be absolutely clear, you are interested in setting the
>> permissions per blog entry, not per blog?
> Yes, but it would also be possible to set one of the groups as
> "default" thus making all posts readable only by that "group".
>> I don't know how people use this stuff or want to use it but to me it
>> seems like if I was going to go to the trouble of setting up
>> permissions for something I'd assign them to a blog so that would
>> provide a convenient re-use point.
> The difference is, like I said in my original post, the
> difference between "blog as single topic publishing engine" vs.
> "blog as multiple topic journal".
> The first approach, which roller now seems to be geared
> towards, is where a given blog is matched to a given audience,
> and then posts to that specific blog match a given "topic"
> readable for everyone reading the blog.  In this model,
> entitlement is based on "poster" priviledges, and not reader
> priviledges.
> The second approach, which LiveJournal is geared towards, is
> where a blog is a personal journal, and you basically set the
> audience for each of your posts [because each post may not
> match a specific "topic"] (i.e. when I post a journal entry that
> contains personal information that I only want a group of
> friends to see).
> I have no problem doing the work, but like I said I see this as
> a possible philosophical issue, as it is a paradigm shift of
> how roller could be used, so wanted to know if anyone is
> diametrically opposed.
>> I had an idea about "hierarchical blog names" sort of like group/
>> subgroup/.../blogname.
> Yeah, it has been my experience that only technically minded
> people seem to embrace hiarachical presentation.  Let take the
> Windows OS as an example.  Since Windows grew out of DOS, the
> hiarachical filesystem is pretty much at the heart of Windows;
> but if you ask the majority of non-technical users to bring up
> "File Manager" they don't have a clue what you're talking
> about.  This is why MS is already looking towards a dB/meta-data
> based OS that won't be hiarachical in nature.  Personally I
> think that sucks, but I've worked with enough of these
> non-technical users to understand that they just don't "get"
> hiarachical file systems.
> Let me say this all another way.  Typically blogs are mostly
> matched to a given "topic".  Let's say a political blog.  An
> individual, or a group of contributors, posts a series of
> entries that match that given topic that is readable by the
> entire "audience".
> What I'm talking about is a blog where the contributor IS the
> topic.  Since this kind of blog isn't quite so "clear cut" as
> say a political blog, each "post" might need a different
> audience.  So instead of having to setup multiple indivdiual
> "blogs" for different "topics", what I'm talking about is a
> journal type approach where I post to a single blog, but then I
> can choose the given audience that post is visible to.  Go take
> a look at LiveJournal for exactly what I'm talking about.

Ok, I did :-)  I think I understand what you want to do.

As Alan says the infrastructure for representing groups of people per  
user is missing.  You could implement this pretty easily using the  
RBAC system I have in my head :-)

The basic idea behind RBAC (role based access control) is that you  
have users you can identify, permissions to do stuff (in this case do  
something to a blog or (for your idea) blog entry), and roles  
(basically abstract names).  Then you have user-role associations and  
role-permission associations (you can also have role hierarchies,  
role-role associations, but they aren't necessary for this).  A user  
gets a permission through a user-role association and then role- 
permission association.

Here, to use the LiveJournal wording, each user gets to set up a role  
for their friends and a role for each custom friend group. Then for  
instance to make something visible to a particular custom friends  
group you'd assign the view permission for that something to the  
custom friends group you have in mind.

While it might seem a little odd to use roles for this -- often  
people think of roles as more static, set up by administrators, fewer  
in number, etc -- this parallels the implementation of discretionary  
access control using rbac.  I like rbac because it provides a fairly  
clear framework for thinking about authorization and lets you  
implement a very wide variety of policies using the same basic  
system.  For instance you can implement both this -- the extreme of  
user-based permission management -- and a completely administrator- 
administered access system using the same framework.

I have a couple ideas on how to implement the permissions also which  
I can go into if you want.

david jencks

> -Zac
> ______________________________________________________________________ 
> __
> Delivered using the Free Personal edition of Mailtraq  
> (

View raw message