Notings of Attention™
Acmlmboard 2 Released
Github/GIT | @acmlmboard
Chatting Places
Discord

Affiliates
Super Mario Bros. X | Kuribo64 | NeoRHDN
Views: 11,030,603
Main | FAQ | IRC chat | Memberlist | Active users | Latest posts | Stats | Ranks | Online users | Search
11-21-24 02:42 PM
Guest: Register | Login

0 users currently in AcmlmBoard Developer Zone | 5 bots

Main - AcmlmBoard Developer Zone - Permission system design shiz
Next newer thread | Next older thread


Arisotura
Posted on 02-13-15 07:42 PM, in Link | ID: 81869
Developer
pancakes
Level: 84


Posts: 672/1870
EXP: 5546164
Next: 115788

Since: 01-05-12
From: France

Last post: 38 days
Last view: 38 days
This is about the permission system I designed for my Acmlmboard branch (Acmlmboard 2.064).


Permission set shrunk down to the basics

All while still giving enough control of course (you'd be better off using powerlevels otherwise). But for example, we reduce the level of control for cases that aren't needed. Forum moderation permissions are merged into one 'moderate forum' permission, because you will rarely ever need more control over it.

There are no permissions for things like 'view the registration page', 'view the login page', etc... Those things don't need permissions, it all boils down to checking whether the user is logged in.

There are no separate groups for guests and bots. Those get the same permissions as normal users (minus things that require login). It's probably less flexible in restricting what bots can access, though.

The core permission set comprises 17 permissions. Compare that to Blargboard and its 45 possible permissions.


Groups and shiz

Here is how permissions are computed.

First, we take the user's primary group permissions. Second, if the user is in any secondary groups, these groups' permissions can extend those of the primary group. And finally, the user's permissions can restrict the final permission set.

Primary groups also have 'deny masks' that forcefully restrict the final permissions. The use is for example, for a banned user group, so banned users have all their permissions properly revoked even if they belong in secondary groups that would give them permissions.


Compact storage

The Blargboard design took one table row per permission per group/user/forum.

The new design stores permissions in the form of bitmasks. It only takes one table row to store all the permissions for a given group/user/forum, and the final permissions of the current user are computed quickly (really just a series of logical operators).

A downside is that this makes editing permissions via PMA more involved.

____________________
Kuribo64 - melonDS

want some revolution in your coffee?

Squiddy
Posted on 02-14-15 08:34 AM, in Link | ID: 81925
Banned
Unspecificed Cooling Off Period. Be Safe
Bisexual Empress of the Stolen Title?
Level: 143


Posts: 5552/6751
EXP: 35713941
Next: 117867

Since: 07-17-13

Last post: 3417 days
Last view: 3324 days
I know you don't plan on giving Global Moderators and below the ability to edit users but is there some sort of check so that a Global Moderator can not edit an Administrator? If so, I'm assuming it's like a sortorder check or rank check which is linear, rather than a MySQL query wall for checking group and subgroup permissions which is complex?

____________________
Sunshine Realm
Welcome to Aqmlm's, the only board with Al-Aq'mlmistrators!

Arisotura
Posted on 02-14-15 01:05 PM, in (rev. 2 of 02-14-15 01:06 PM by Arisotura) Link | ID: 81935
Developer
pancakes
Level: 84


Posts: 679/1870
EXP: 5546164
Next: 115788

Since: 01-05-12
From: France

Last post: 38 days
Last view: 38 days
Global mods may eventually get ability to ban people, and perhaps edit but I don't think so.


It works like for Blargboard. Each group is given a rank value that works kinda like the powerlevels but more flexible. So basically, you can't edit a user if his primary group's rank is higher than yours.

This also prevents things like editing yourself to give yourself more power, and other fun privilege escalations.

____________________
Kuribo64 - melonDS

want some revolution in your coffee?

Emuz
Posted on 02-14-15 09:51 PM, in (rev. 2 of 02-14-15 09:51 PM by Emuz) Link | ID: 81943
Site Administrator

11 Hit Combo:
Mother's Rosario
Level: 109


Posts: 2551/3393
EXP: 13563634
Next: 396011

Since: 12-30-11
From: Akron, Ohio; USA

Last post: 114 days
Last view: 3 days
Very nice.

For the bots and guests you could religate that to a system that actually just flags someone one or the other and have it handle it and not the perm system. The most important thing that the bots perm does here is prevent nesting cal caching, and to block counter incrementing for guests for a better and more accurate count.

As long as you put together some way to edit the bitmasks a guide or a tool I think it's not a problem. You would want to make an board tool if you ever go public with that system of course.

bitmasks were the other method I had in mind a long time ago when we first started drafting the perm update in the chatter stage. I have a lot of experience using them in my RO and IRC days.

Are you going to forgo the idea of the Root level or are you going to add that as well? I find that coming from so many experinces with I1 that it's good to have something like that. That's why I brought the concept over from ABXD. Orginally Acmlm and I had a few lines hard coded that always set our IDs to the admin pow level.

Well done. :) If we go forward with Python I don't think we should limit ourselves to just talking about the two. However I like the form of this one

The Dynamic Profile Administratorâ„¢


"Never Knows Best"
Note: if you can see this my layout broke. ALL THE CREDITS WILL BE REVEALED!!
'Victory Noriko' by @thatsheepagain.
'Chibi Dance Noriko' by @Haru__Kitsu.
'Deity's Night Out (Featuring Gabbie)'
by @thatsheepagain
Noriko Emotes by @Haru__Kitsu.
Side Bar Noriko by @thatsheepagain
'Noriko's Nature Walk' by @projectTiGER_
Emotive Noriko by @thatsheepagain.
"Space Candy Noriko" by BerryVerrine.
"Super Sharp Noriko" by Xionfes.
A gift illustration from the wonderful EverKinzPony!
"Magical Girl Noriko" by @cute_hospital!
"Patient Chibi Noriko" by @Ruii_ki!
'Dapper '60s Noriko' by @thatsheepagain.
'Shiny Chibi Noriko' by @inioli.
'Flower Veil Noriko' by @Sushiee_.
'Noriko in Realism' by @_Sarybuu.
'Noriko's Midnight Adventure' by @projectTiGER_
'Yukata Noriko' by @yunyunmaru_
'Birthday Wishes Noriko' by @thatsheepagain

Scrydan
Posted on 02-14-15 11:26 PM, in Link | ID: 81952
Normal User
Scryforce - A place that still exists. Neat.
Level: 86


Posts: 1889/2020
EXP: 6096632
Next: 45475

Since: 07-18-12
From: USA

Last post: 982 days
Last view: 964 days
Posted by StapleButter
Permission set shrunk down to the basics

All while still giving enough control of course (you'd be better off using powerlevels otherwise). But for example, we reduce the level of control for cases that aren't needed. Forum moderation permissions are merged into one 'moderate forum' permission, because you will rarely ever need more control over it.


I must say, my original change to the permission system would have had it where it combined multiple of the existing permissions into one, and anything that is "global this" or "ID specific" would have just been combined into a different scope of the base permission. If I recall, the old permissions currently existing in this board is still "edit-forum" and "edit-all-forums" or something to that degree? I haven't looked into the code lately so I wouldn't know.

As for combining things like allowing someone to edit posts in a forum with something like allowing them to move threads out of this forum, I must say I disagree. As for an example, you might want to have posts be edited in this particular forum but you don't want them to be moved out. You pretty much limit the permission system to checkboxes that say "hey, are you a local moderator?" or "do you manage the forums?". To me, the permission system should allow for things that the original board author does not necessarily intend to use for his own site. While it may seem logical to you to simplify or "dumb down" the permissions, I say it is a step back towards powerlevels. If it isn't hurting you to have the ability, don't fix what isn't broken by tying your own hands into "cookie cutter permissions". And while I loved powerlevels, to me this system is powerful and can be made a lot more powerful. Then again, using my own system as an example, I know that all too well.

(Like allowing a user to edit a specific account or whatever. Sure many owners won't even use it, but hey you can. It allows freedom to do things without editing hardcoded pages. But I do agree they need revamped. If anything, to allow more flexibility with less permissions. Have less but do more.)

Posted by StapleButter
There are no permissions for things like 'view the registration page', 'view the login page', etc... Those things don't need permissions, it all boils down to checking whether the user is logged in.


I must say that this is simply something that never should have had permission in the first place - EXCEPT for the fact some sites may have registration off and make staff do registration so they may want to be allowed to make accounts while logged in and disallow it to guests.

Sure you may not do this and there's a better way (like simply setting it as a registration setting), but I've seen a site or two need this functionality to prevent bots. Registration may be the only thing that should keep like it is in this case. Login should, of course, not need permission but just check login. There's not much point to login again, even if as someone else because you should simply just log off if you're one of those people needing multiple accounts. But alas, there might just be someone who does think it should be permission tied. Really it is about the uses you have out of it. Everyone will have a slightly differing opinion about what would need axed.

Posted by StapleButter
There are no separate groups for guests and bots. Those get the same permissions as normal users (minus things that require login). It's probably less flexible in restricting what bots can access, though.

There was a time I'd agree with this approach back when I wanted minimal groups back in my powerlevel loving days slowly graduating to permissions. However, this is assuming a website owner wants every page a user to view to also allow guests - besides the obvious hardcoded areas. This then means you need to hardcode some function to prevent guests from accessing places. While things like posting are a no brainer, some places or pages may want to be restricted to only users - and on the other hand, another owner may want said pages to be viewed. Let me give you an example that you'll possibly disagree with.

Let's say the calender is like the one I have now (it is functioning with events you can add and birthdays, etc). What if you only wanted it to be accessed by users? What if there's private stuff? Why sure you could code a "visibility selection" for the particular event to prevent guests (for there are private events), but doing so for every event seems silly. But for everything you hardcode, there's someone out there that thinks it can be done a better way. Which is why there must be a balance to everything you restrict out for guests/bots.

You probably might have noticed I personally removed the "Bots" group from my listing, but in truth it is just handled in a different manner that does not require you to dedicate a group ID for bot permissions. Same could be done with guests. I just use them as a base since they have another use (like default view groups and setting them to 1/guestid for "all").



All in all, you will all do what you think, but it is moments like this I don't even know where the project is going anymore. :P
(Then again, since two years ago I felt like that...)

Squiddy
Posted on 02-14-15 11:37 PM, in (rev. 2 of 02-14-15 11:41 PM by Squiddy) Link | ID: 81953
Banned
Unspecificed Cooling Off Period. Be Safe
Bisexual Empress of the Stolen Title?
Level: 143


Posts: 5562/6751
EXP: 35713941
Next: 117867

Since: 07-17-13

Last post: 3417 days
Last view: 3324 days
There is only one "edit forums" permissions which allows a user to edit all categories and forums. I recently made the permissions for titles, displaynames, custom username colors, and extended profile fields like the the permissions for editing users and editing mood avatars such as the "update own profile", "update user profile", and "update profiles" permissions.

The problem with this, though, is that it become very complex and ends up taking more RAM due to query counts. Before flexible permission where setup, the ismod() function provided every single moderating perm. While yes, some board owners may want to toggle moderating perms like having one user able to edit posts but not sticky threads, etc., Arisotura's AB2.064 isn't meant for a public release anyway. But, he did say that he may contribute code that official AB2 may need.

____________________
Sunshine Realm
Welcome to Aqmlm's, the only board with Al-Aq'mlmistrators!

Arisotura
Posted on 02-15-15 02:05 AM, in Link | ID: 81964
Developer
pancakes
Level: 84


Posts: 682/1870
EXP: 5546164
Next: 115788

Since: 01-05-12
From: France

Last post: 38 days
Last view: 38 days
As Squiddy said. This is my own design, AB2.5 doesn't have to follow it or anything. I'm just providing it for the sake of providing ideas.


The thing about "letting a user edit posts but not move them out", well, in most cases, you will either want your moderators to have all the possible moderative permissions, or you won't care about that. It may have uses though.

But then there is also the part where you're supposed to be able to trust staff members to an extent. If they do stupid shit, you demote/ban them.


As for the guests vs users part. I find it silly to require registration for things like viewing forums or viewing extra pages. Unless registration has an entry barrier (like requiring a specific reg password), each guest is only a few clicks away from becoming a user. Forced registration annoys people and gets you a ton of worthless accounts. This is the main logic behind giving guests the same permissions as normal users.

Of course, there are admins who will want to do those things anyway. But I find them silly.

____________________
Kuribo64 - melonDS

want some revolution in your coffee?

Emuz
Posted on 02-16-15 08:55 PM, in Link | ID: 82214
Site Administrator

11 Hit Combo:
Mother's Rosario
Level: 109


Posts: 2554/3393
EXP: 13563634
Next: 396011

Since: 12-30-11
From: Akron, Ohio; USA

Last post: 114 days
Last view: 3 days
The one thing you can do is a have "registration Required" board with maybe one forum or announcement section to explain that it is so. That's just simply making all but those private forums.

Right now 2.5 is an example of the board bring run completely from the the permissions system. That actually in practice can be a bit much. It's nice for flexibility but we did kind of make it too complicated with less gain than we could have with a more concise system. Don't get me wrong I designed the initial specs and Bouche created the current system. He did a good job I think. But perhaps next time a bit more of a conservative mindset would prove better overall...

The Dynamic Profile Administratorâ„¢


"Never Knows Best"
Note: if you can see this my layout broke. ALL THE CREDITS WILL BE REVEALED!!
'Victory Noriko' by @thatsheepagain.
'Chibi Dance Noriko' by @Haru__Kitsu.
'Deity's Night Out (Featuring Gabbie)'
by @thatsheepagain
Noriko Emotes by @Haru__Kitsu.
Side Bar Noriko by @thatsheepagain
'Noriko's Nature Walk' by @projectTiGER_
Emotive Noriko by @thatsheepagain.
"Space Candy Noriko" by BerryVerrine.
"Super Sharp Noriko" by Xionfes.
A gift illustration from the wonderful EverKinzPony!
"Magical Girl Noriko" by @cute_hospital!
"Patient Chibi Noriko" by @Ruii_ki!
'Dapper '60s Noriko' by @thatsheepagain.
'Shiny Chibi Noriko' by @inioli.
'Flower Veil Noriko' by @Sushiee_.
'Noriko in Realism' by @_Sarybuu.
'Noriko's Midnight Adventure' by @projectTiGER_
'Yukata Noriko' by @yunyunmaru_
'Birthday Wishes Noriko' by @thatsheepagain

Arisotura
Posted on 02-16-15 08:59 PM, in Link | ID: 82215
Developer
pancakes
Level: 84


Posts: 694/1870
EXP: 5546164
Next: 115788

Since: 01-05-12
From: France

Last post: 38 days
Last view: 38 days
Don't be hard on yourselves guys, flexibility is always good. The real challenge is creating an interface that exposes all of the system's power and doesn't suck.

____________________
Kuribo64 - melonDS

want some revolution in your coffee?

Emuz
Posted on 02-16-15 09:25 PM, in Link | ID: 82219
Site Administrator

11 Hit Combo:
Mother's Rosario
Level: 109


Posts: 2555/3393
EXP: 13563634
Next: 396011

Since: 12-30-11
From: Akron, Ohio; USA

Last post: 114 days
Last view: 3 days
Posted by StapleButter
Don't be hard on yourselves guys, flexibility is always good. The real challenge is creating an interface that exposes all of the system's power and doesn't suck.


Oh I don't mean to sound like I am hard on ourselves or anything like that. I like the system. I just think that to make things easier over all it we could narrow it down. IE: Practicality comes with a more narrow scope. :)

The Dynamic Profile Administratorâ„¢


"Never Knows Best"
Note: if you can see this my layout broke. ALL THE CREDITS WILL BE REVEALED!!
'Victory Noriko' by @thatsheepagain.
'Chibi Dance Noriko' by @Haru__Kitsu.
'Deity's Night Out (Featuring Gabbie)'
by @thatsheepagain
Noriko Emotes by @Haru__Kitsu.
Side Bar Noriko by @thatsheepagain
'Noriko's Nature Walk' by @projectTiGER_
Emotive Noriko by @thatsheepagain.
"Space Candy Noriko" by BerryVerrine.
"Super Sharp Noriko" by Xionfes.
A gift illustration from the wonderful EverKinzPony!
"Magical Girl Noriko" by @cute_hospital!
"Patient Chibi Noriko" by @Ruii_ki!
'Dapper '60s Noriko' by @thatsheepagain.
'Shiny Chibi Noriko' by @inioli.
'Flower Veil Noriko' by @Sushiee_.
'Noriko in Realism' by @_Sarybuu.
'Noriko's Midnight Adventure' by @projectTiGER_
'Yukata Noriko' by @yunyunmaru_
'Birthday Wishes Noriko' by @thatsheepagain

Next newer thread | Next older thread
Main - AcmlmBoard Developer Zone - Permission system design shiz


Acmlmboard v2.5.6 (06/11/2024)
© 2005-2024 Acmlm, Emuz, et al.

Page rendered in 4.242 seconds. (864KB of memory used)
MySQL - queries: 138, rows: 576/610, time: 4.222 seconds.