Previous Thread
Next Thread
Print Thread
Hop To
#132703 10/04/1999 1:49 AM
Anonymous
Unregistered
Anonymous
Unregistered
I think I may of made this suggestion before, but I will try to make it simple.

I think that one of the most simple ways to make a true Private Conferencing system is with access tags (or keys). When a Admin setup a board as a Private Conference they will not only set the "Security Level" but will set that boards Read/Write access tags. This can be done with a simple letter system. The letters work a key or tag that give the user write on that board.

Board Title: Sample1
Security Level: 50
READ: AA
READ/WRITE: BA

Board Title: Sample2
Security Level: 50
READ: AB
READ/WRITE: BB

Then the Admin can edit a users Access Tags (or Key Ring) field and enter the letters correct for he writes.

AccessTags: AA, BB

With the above tags a user with a <font color=red>Security Level 50</font color=red> will have <font color=green>read</font color=green> access to board sample1 and <font color=green>read/write</font color=green> access to sample2. If a user has <font color=red>Security Level 50</font color=red> and none of the matching access tags they will not have access to the boards.

I do think this would be a simple way of handling Private Boards and it should not be hard to add to WWWThreads.
-Ken Torbeck <font color=blue>WWW.INFOSITE.</font color=blue><font color=red>ORG</font color=red> Special Needs & disAbilities Info. Center

Anonymous
Unregistered
Anonymous
Unregistered
Editing individual user's rights would be quite challenging for sites having a big userbase. If this is to be implemented, a more advanced mode for listing users (newer/older than no. days/date, security higher/less than X, rights equal/less/greater than value/key/mask) may be needed.

Anonymous
Unregistered
Anonymous
Unregistered
Why not just use a password system like some private chat rooms. The creater can use the built-in messaging system to email the password and invite someone to log in the private conferencing board. Quick and easy.

Anonymous
Unregistered
Anonymous
Unregistered
Board moderator would be the one to administer these groups, wouldn't he/she?


Timo

Timo.Tsh.Hyvonen@sonera.fi
+358-2040-65348
<url>http://www.iki.fi/tsh/</url>

Anonymous
Unregistered
Anonymous
Unregistered
If you just have a password on a board then that password can be given to others. The only way it could be done with this system is if someone turns over there account to someone else.

I think your thinking private chat room, not a Private board. You already have private message between two people with the Private Messages. With Private Board then only a select group of people can access a board when they have rights to it.

-Ken Torbeck <font color=blue>WWW.INFOSITE.</font color=blue><font color=red>ORG</font color=red> Special Needs & disAbilities Info. Center

Anonymous
Unregistered
Anonymous
Unregistered
I do think you would need to have the option for the Moderator to give or take away a access tag (key) to a board. I don't think the Moderator needs access to all of that users tags, this could open up a security problem.

-Ken Torbeck <font color=blue>WWW.INFOSITE.</font color=blue><font color=red>ORG</font color=red> Special Needs & disAbilities Info. Center

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Great, this is the type of discussion I was hoping for. What about view tags. Should this be included as well or if they have neither then do they not see the board?

Also, upon creating or editing a board there should be a way to make it totally open, so for a common board you don't have to go and edit everyone's permissions.

---
Scream
http://www.wcsoft.net

Anonymous
Unregistered
Anonymous
Unregistered
It should not be hard to create mode that you basicly ckeck off the users who you wish to give the access tag (key) to or take away from. This would also be a good option for the moderator also. This way they could only remove or add users from a board and not have access to the users other tags.

-Ken Torbeck <font color=blue>WWW.INFOSITE.</font color=blue><font color=red>ORG</font color=red> Special Needs & disAbilities Info. Center

Anonymous
Unregistered
Anonymous
Unregistered
-I think the "VIEW" tag would be the same as the "READ" tag. View maybe a better word then read.

-You could have a tag for not viewing a board, but would it not be simpler not to give, or just take away the "VIEW" tag.

-If you don't give a board a tag(s) then everyone with that Security Level would have access to the board. So under editing the board you could remove the tags.

If you remove tags however you would need for the system to remove the tags from the users also. This way if you use the same letters for tags in some other board, you will not give the wrong users access.

-Ken Torbeck <font color=blue>WWW.INFOSITE.</font color=blue><font color=red>ORG</font color=red> Special Needs & disAbilities Info. Center

Anonymous
Unregistered
Anonymous
Unregistered
I guess a second option would be to create an access table in the database.

This table would have the fields

board
user
read
write

this may slow down things a little to have one database for all boards, so you may need to have an access table for each board.


-Ken Torbeck <font color=blue>WWW.INFOSITE.</font color=blue><font color=red>ORG</font color=red> Special Needs & disAbilities Info. Center

Anonymous
Unregistered
Anonymous
Unregistered
I actually like the idea of using ACLs (Access Control Lists) in conjunction with groups. For each forum you can add a list of users individually by name or use group names (which contain individual names). Each entry in the list could then nbe assigned the "tags" you refer to in your post.

So, for Forum A I want to have it open to the public and accessible by ALL. There could be a special group name that contains ALL users. This woul dbe the default lets say. Then if you wish to restrict access to a select group of users, you could only list that groups name in the ACL and then add people to the group when you wish to add people. With this type of system you could have read only for ALL users and then include a group for individuals who you wish to be allowed to post. So it essentially becomes a read only forum but a select group gets to post messages.

This removes the "Level" altogether which I believe would be a good thing.

Just my .02 cents! <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />

Regards,

Strategist

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
I like the idea of using Groups. This will make it alot easier to check privileges on the individual boards. Also it will make for a smaller privilege table. Instead of having to list every user that has permissions for each board, the group could be used.

An idea, that may add to the complexity but probably will add more flexibility. When creating or editing a board, there could be a couple of extra fields. Those being: allow read, allow write, deny read and deny write. This way you could go either way. If you have a few people that you want to give write access to you can put them in a group and then give them the allow write permission. Or if you have a few trouble users, you can put them in a group and assign them the deny write privilege.

Again, open for thoughts and suggestions. I would like to get the pretty much hashed out before I even start working on this.

---
Scream
http://www.wcsoft.net

Anonymous
Unregistered
Anonymous
Unregistered
I like it, Scream! Use those four options as check boxes. The on/off will basically outline which group/user can do what. It adds a great deal of flexibility for the admins and moderators. Excellent idea! I'm all for it!

Back to the groups concept, the groups would be used universally. So you can use the same group(s) throughout the different forums without having to recreate them. Create a group, use it for all or none of the forums - admin's choice.

Regards,

Strategist

Anonymous
Unregistered
Anonymous
Unregistered
I like the idea of Groups as well. Can I assume that there will be no
limit on how many groups one user can be assigned to?

EdR

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
At this point I would say yes. And if a user belongs to 2 groups that have different privileges for a forum, the most restrictive permission would apply.
---
Scream
http://www.wcsoft.net

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
A followup note. The main reason this features has taken so long to get in, is I don't want to end up having it compromise functionality for speed.

At this point, with security levels: If a user does not have permission to read a board, they will not know if that board exists in the forum list. This can be done quickly because when doing the query we only select forums with a security level equal or lower than the users.

With the new groups. This really will not be a possibility. Otherwise there would have to be an extra query for each board to see what group can read the board and what group the board is in. And if you have quite a few boards, this will lead to a lot of extra queries.

So, what it looks like right now is a user will be able to see all of the various forums but when they try to enter one, it will then check their groups against the allowed groups and see if they have the proper permissions, and if not it will let them know.

This isn't set it stone yet. I'm still trying to work a better way, but if all else fails that is the way it will end up for now.

---
Scream
http://www.wcsoft.net

Anonymous
Unregistered
Anonymous
Unregistered
Scream,

I'm not sure I understand what you mean by applying the most "restrictive" permission.
What if there are mutually exclusive groups A and B that give access to private
sets of forums fA, and fB. How would you define the most "restrictive" permission?
If I enrolled a user in groups A and B would he/she have access to both sets of
forums?

EdR

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Ok, let me clarify this. It isn't necessarily the most restrictive. It would work like this:

User A belongs to the following groups: Guests and Special

Forum 1 is set to allow read: Guests
Forum 1 is set to allow write (read and write): Special

In this case, since he is a member of Special he will have full privileges on this forum, even though the Guests group only has read permission.
---------

A different example would work like this:

User B belongs to the following groups: Guests and Badusers

Forum 2 is set to disallow read: Badusers
Forum 2 is set to disallow write (read and write): Guests

In this case, even though Guests group isn't disallowed from reading the forum, User B does belong to the Badusers group so he can neither read or write.
---------

Hope this makes sense. When you are dealing with multiple groups you may have differing permissions for a user on a certain forum, so this needs to be handled properly.

Now, it doesn't have to be this way. We could go with each user can be set to one group, and then we wouldn't have to worry about this. This would make administration easier and it would be *alot* easier to code, but wouldn't provide as much flexibility.

I am open to doing it either way, but that's why I posted this here for discussion is the people who are going to be administrating the forums should be able to decide how this will work.
---
Scream
http://www.wcsoft.net

Anonymous
Unregistered
Anonymous
Unregistered
Thanks for trying to explain. I think I understand *if* by above you
mean the following: There will be 4 permission fields, each of which
can have 2 values:

FIELD......................SETTING
======================
allow read...............ON or OFF
allow write................ "...."....."
disallow read .......... "...."....."
disallow write............"...."....."

where having "allow read" turned off is not the same as having
"disallow read" turned on.

If this is not what you mean, and you are only talking about 2
fields: "allow read" and "allow write", then if you try assigning
one person to two mutually exclusively groups, he/she
won't be able to access any of the forums in either group
because one group will "disallow read" the other group's
forums, and this will always be the applied "most restrictive"
case. Sorry for being dense if I'm still missing your intent.

EdR

Anonymous
Unregistered
Anonymous
Unregistered
I forgot to mention in my first reply that I definitely think the more
flexible model is the way to go. The other model (only one group
assignable to each person) is arguably no more flexible than the
current setup, since we won't be able to tweak board security
levels in the new paradigm. In any case, thanks for taking this on.
Hope it's fun. ;-)

EdR

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
You are close. Their will be an option of allow or deny for each forum. No need for both. If you have a forum where you want only a few people to access it, then you would choose the allow option, and choose which groups have access to it. If someone becomes a trouble maker, then you take them out of that group. If you have a forum where you want everyone to have access to it, except for a few people, then you would choose the deny option, and choose which groups you don't want to have access to it.

---
Scream
http://www.wcsoft.net

Anonymous
Unregistered
Anonymous
Unregistered
OK. Now I got it. Thanks for elaborating. It makes sense.

EdR

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Ok, the private conferencing feature has been pretty much mapped on on how it will work. This is really going to change the way several things work.

Currently upon board creation you choose who can post on it, Admins only, Admins and moderators, or admins, moderators and users. This is no longer going to be needed.

Secondly, right now there are security levels in the forums. These are no longer going to be used. This might cause a bit of a problem for users that have taken quite a bit of time to create various security levels and such but in the long run, the new system will be much more flexible.

The reason these will be no longer needed is each board can be set to allow read only, allow read and write for certain groups. Privileges will be assigned to groups, and you can assign a maximum of 60 groups per privilege field. Each user will be assigned to any number of groups up to a maximum of 60.

There will be 4 default groups. Guests (users who have not logged in), Users (Users who have logged in), Moderators and Administrators. By default when the tables are updated they will be set to allow read and write by the Guest group and the Users group (Moderators and Admins are members of the Users group by default).

So, this is just to let everyone know how it is looking so far. It should provide for a very flexible system. If a user is in a group that does not have read privileges for a certain board then they will not be able to see that board.

Originally it was planned to have a deny from groups option, but after looking into this further this would have made the program much more complex and in doing so would have increased the server resources used.

This is just in the beginning stages and there may be a few unexpected hurdles to overcome, but this is the plan thus far. I posted this message here in case anyone has any questions and would like to discuss it here.

---
Scream
http://www.wcsoft.net

Anonymous
Unregistered
Anonymous
Unregistered
OK. I almost completely understand the setup, but you make one statement that brings
me back to my former state of confusion. I'm referring to when you state:

"If a user is in a group that does not have read privileges for a certain board (either by not
being allowed or by being specifically denied) then they will not be able to see that board."

Hypothetical: I have two groups: Doctors and Patients, each with it's own private board . The
Doctors group does not have access to the Patients' board and the Patients group does not
have access to the Doctors' board. I have a doctor who specializes in doctor-patient interactions
and I want him to participate in both boards. Can I just add him to the patient group so he will
be in both the Doctor and Patient groups and have access to both boards, or do I need to create
a third group of people who can access both boards? I would much prefer the former because
it's far more flexible and less time consuming. Having to create a new group every time I want
to give someone a unique set of permissions would create a tremendous amount of work for me
as an administrator. I'm guessing that I misinterpreted what you said again. ;-)

EdR

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Ok. First off. There won't be a deny from. This was going to make a much more complex system with heavy calculations and multiple SQL calls that would not have been nice on server resources. So, at this time there will only be an Allow Read, and an Allow Read and Write.

Secondly to answer your question. Yes, you could just assign that one doctor to The Patients Group and the Doctors Group and he would be able to access both boards.
---
Scream
http://www.wcsoft.net

Anonymous
Unregistered
Anonymous
Unregistered
A reprint of my message from February, http://www.wwwthreads.com/perl/showpost.pl?Cat=&Board=wishlist&Number=9, in case it's of help. In short, I'm delighed to hear about "Groups"... and I think Groups themselves should be definable.

****reprint*****

Here's how I think it should be organized, ideally. You would create the concept of "User Classes", and allow the administrator to assign the capabilities of each class.
Guests get assigned "User Class 1", Registered users get assigned "User Class 2", and the admin would have to upgrade/downgrade users to other classes. Each "User
Class" would be assigned a configurable set of capabilities. For example:

Guest
-----
Read (Y)
Post (N)
Approve (N)
Open/Close Threads (N)
Approve Messages (in moderated boards/threads/users, ie where posts require approval) (N)
Prune (N)
Delete their own messages (N)
Delete other people's messages (N)
Mark Users or Threads as moderated (ie the posts require approval) (N)

Other classes of users would be entitled Registered Users, Supervisors, Moderators, Administrators , and there would be a spare class for funky setups.

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
I do like the ideas, but that is getting more into privileges. Right now the main focus is implimenting a high customizable and easy system for private conferences. So it won't go as far as what you suggested. Your ideas for extended privliges could very well be in a future release.

---
Scream
http://www.wcsoft.net

Anonymous
Unregistered
Anonymous
Unregistered
No problem... as you've stated, at least it puts down a flexible logic for future releases.

I guess the user groups and the board access privileges form a matrix... you're choosing to develop one side of the matrix first <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />
So group "X" has certain privileges which pertain to specific boards... and in the future, this "group checking" approach could be used for other user entitlements.

I'm just thinking aloud here... but it sounds like you're thinking of assigning board privileges *individually by board*, right? you could extend the logic we're talking about, and create "board groups". Actually, we've got "board groups" already - they're called categories.

So instead of going board by board and saying "Board X allows users in Group A to do this or that", you could say
"Any Board in Category X allows users in Group A to do this or that".

Sounds pretty similar, but I think that
a) it could be more efficient, just like having user groups is more efficient than having priveleges assigned individually by user
b) the privileges would extend themselves automatically if a new board is created in a given category.

Do you know what I mean?

Stephan

Anonymous
Unregistered
Anonymous
Unregistered
Great - sounds perfect. The "deny from" feature was not essential
IMHO. I would probably be more inclined to remove a person from
a group if that person was being disruptive, rather than adding
him or her to a special listing of disruptive users.

Anonymous
Unregistered
Anonymous
Unregistered
Please note the request under the customization forum regarding user-created boards... if you do decide to develop the "User Privileges" scheme down the line, you might want to add the ability to create boards as one of the privileges for a user group.

Anonymous
Unregistered
Anonymous
Unregistered
One more request along these lines- I'd like to see an easy way to set the default groups for new users based on category (or something else). Let me explain.

I am using the latest stable version which I just bought last Friday (4.3.2 I think). I have a category called "biomed" which I want only visible to the biomed people. No problem, just give them a category URL and do a wwwthreads.pl?Cat=2. However, if someone just goes to wwwthreads.pl, they can see the biomed category. No problem, set security above 50 and it will be hidden. Now the problem is (unless I'm missing something) that I would have to have everyone first register a username with the default user_security=50, then I would have to change that for them so they could get into the biomed category, or pre-create all the usernames and passwords. Not optimal. I'm thinking I could alter the bit in adduser.pl where it sets the security level to check the $Cat (thanks for passing that in Scream!) and if it is 2, then set their security to 60 or something.

Should work okay, but I decided I'd look around and see if anyone else had asked about this and see that the group system is well underway. Great! I just want to pipe in for an easy way to set up the groups so I can have, say, an Apache-passworded area with a newuser.pl-style login form which passes some hidden variables (or whatever) to automatically put them into the groups I want when they create an account. This would help immensely with my less sophisticated users, many of whom will only be using one category of the forums.

If I'm not being clear tell me! I may go ahead with my minor hack (although it sounds like you're pretty much discarding the security-continuum system), but thought if I could persuade you to put this into the mainstream version then I wouldn't have to try to patch it every time there's an upgrade. <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />

Anonymous
Unregistered
Anonymous
Unregistered
Allow me to reply to myself- what I suggested would be a security hole if anyone could put up a form that submitted to your CGI and allowed them to create an account with any group membership they put in a hidden variable. Maybe there could be a conf file (or DB table) which lists allowed referer URLS to use the special "set default group" function of adduser.pl- then you could put localhost, or www.wwwthreads.com, or even www.wwwthreads.com/path/to/my/form.html and get some really fine-grained control over it. Or maybe someone else has a better method to make sure this does not get abused.


Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
spam issues
by ECNet - 03/19/2024 11:45 PM
Looking for a forum
by azr - 03/15/2024 11:26 PM
Editing Links in Post
by Outdoorking - 03/15/2024 9:31 AM
Question on barkrowler and the like
by Mors - 02/29/2024 6:51 PM
Member Permissions Help
by domspeak - 02/27/2024 6:31 PM
Who's Online Now
0 members (), 396 guests, and 110 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20230217)