[wp-hackers] User Capabilities

[Ryan Boren]

On Fri, 2005-07-01 at 11:34 -0400, Mark Ghosh wrote:
> Ryan Boren wrote:
> 
> >I'd prefer to get away from user levels entirely.  A user can either
> >edit other users' posts, or not.
> >
> >A more useful and understandable model would be to limit roles to
> >categories. 
> >
> 
> I have to agree. The user level system has never been quite as 
> transparent as I would have liked it (as a Wordpress user).
>  From my professional experience, a detailed user flags system with 
> flags (or bits flags) which can be modified through a user management 
> page, have worked very well.

I find most of them to be horribly complex and confusing.  Permissions
is one of the hardest concepts to expose cleanly.  Often times users are
pretty much asked to understand a Lampson matrix.  Not nice.  Matters
get especially confusing when users can inherit privileges from
groups/roles.  Now you get to worry with capability masking.

I guess we need to answer some fundamental questions.  Do we allow
editing of users and roles?  My sample implementation does not provide
for this.  Roles can be manipulated only by plugins, and users don't
have individually configurable capabilities.  Users have a role and
that's it.  The UI for this would be very simple.  Instead of giving a
user a level, you give them a role.  A dropdown will do.  If the default
roles aren't to the site administrators taste, it's plugin time.  This
hides lots of complexity.

I can see possibly providing a Role provisioning UI and saving the roles
in the DB.  I'd rather not have editing of user capabilities beyond
assigning them a role.  If you have someone who doesn't quite fit the
current roles, create a new role for them.

Ryan