[wp-hackers] User roles - GSOC proposal

Mike Schinkel mikeschinkel at newclarity.net
Tue Mar 30 22:30:32 UTC 2010 

On Mar 30, 2010, at 6:13 PM, Andrew Nacin wrote:
>> With a large number of roles these merged capabilities could get very
>> large; the number will grow exponentially for each new role added.
>> In your example are you proposing there would be a new *named*
>> "AdminEditor" role, or it would just be handled behind the scenes and if
>> someone modified Editor it will also modify the merged role too?
> 
> Not sure I follow. I was only referring to the upgrade path, that way a
> simplification of the roles/capabilities system in a future WP version would
> be 100% lossless.

I was assuming you were referring to ongoing, not just upgrade.

> If a site did not have any user with multiple roles, and
> no users had no user-specific capabilities, then nothing would need to be
> changed. Otherwise, for each user with multiple roles or user-specific caps,
> we would run them through a script that:
> 
> - Computes exactly which capabilities they possess, based on their role(s)
> and user-specific capabilities.
> - Checks for any other roles has exactly these capabilities.
> - If a matching role exists: Assign them to that role, and remove their old
> roles and old user-specific capabilities.
> - If a matching role does not exist: Create a new role for them with those
> exact capabilities. (If User B has the same capabilities as User A, then
> User B would get the same role that was created for User A.)

That will create a maintenance nightmare for the admin if the have even a small number of roles to handle.

> The end result would be that every user has no user-specific capabilities,
> and exactly one role, with that role consisting of exactly the capabilities
> they had before.

For a complex system you'll end up with nearly as many named roles as users.  That really doesn't make sense to me.  I've worked on a Drupal system where the only way I could manage the complexity of the roles was by being able to create different roles and assigning multiple roles to the user.

I do see why you want to go this route but I'd like to propose you consider and 3rd solution:

Implement it the way you are thinking for performance but make it appear in the admin that there are distinct roles.  Allow some roles to be *defined* roles and others to be *derived* roles.  

For example, let's assume we have ContentEditor and FilesModerator roles; both would be *defined* by the admin.  In the UI the admin could assign both roles to a user but behind the scenes a *derived* role of "ContentEditor-FilesModerator" would be created using the combination of the two roles (though this role would never be shown to the admin or to users.)  When the admin later updates the capabilities of ContentEditor the ContentEditor-FilesModerator role is also updated behind the scenes.

Simple for the end user and accomplishes the same performance goals you mention with the only downside it taking slightly longer to save a role when the role's capabilities are updated.

-Mike

More information about the wp-hackers mailing list