[Maintain-dev] [JIRA] Created: (MNT-1549) User Access Levels

[Frederic Wenzel (JIRA)]

User Access Levels
------------------

         Key: MNT-1549
         URL: http://bugs.osuosl.org/browse/MNT-1549
     Project: Maintain
        Type: Improvement
    Versions: 3.0, 3.1, 3.0.0-RC1    
    Reporter: Frederic Wenzel
 Assigned to: Michael Clay 
    Priority: Urgent


Maintains user access levels need to be enhanced.

Currently, if a user knows the name of a module, they can access the module's pages even if there is no link for them to follow. Putting this kind of security on the shoulders of module programmers is not a good idea.

Instead, we should keep a default user level around that's needed to watch any page, module or not, by default. If somebody is below (or happens not to be in the zone user table at all), they can login but not do anything.

Then modules can white- and blacklist themselves, i.e. lower or raise their minimum access level. An "autoreg" module (intended to put new users into Maintain that are not in there yet) would lower the access level of its registration form to 0 so that everybody can access it.

In turn, admin-only modules could, besides implementing the usual is_admin checks, raise their access levels to 100 so that non-admin can't even access the module page in the first place.


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://bugs.osuosl.org/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira