dotLRN Roles, Sections, and Permissions
dotLRN Permission API
by Ben Adida.
The dotLRN access control mechanism will rely on OpenACS's permissions
system, but will be completely layered. This means the underlying
permission scheme can change.
Relational Segments & Context IDs
In order to make things much cleaner with respect to permissions, we
use relational segments and context IDs. The goal of relational
segments will be to determine groups of users to whom permissions
are granted. The goal of context IDs will be to create a hierarchy of
objects so that as new components are added to subcommunities,
permissions are naturally extended in appropriate ways.
For this to work, the actual privileges used throughout dotLRN and all
of its modules must be consistent. Since permissions follow an
inheritance path, we must make sure everything bootstraps off the
basic read, write, create, delete, admin privileges.
To better explain the situation, we want the following to happen:
- Hal is a member of "Intro to Computer Science Spring 2002" group, with relationship
type dotlrn_instructor_rel to that group.
- An FAQ about the Computer Science Program is created for "Intro
to Computer Science Spring 2002", with context_id pointing to
the course.
- A relational segment "Intro to CS Spring 2002 Instructors" is
created on the "Intro to CS Spring 2002" group and
dotlrn_instructor_rel relationship type.
- The privilege faq_admin exists, inheriting from
the core OpenACS admin privilege.
- A permission is granted: "Intro to CS Spring 2002 Instructors"
are given the admin privilege on the course "Intro to
CS Spring 2002".
- Thus, automatically, Hal has the right to admin the FAQ,
because the admin privilege translates to the faq_admin privilege by
inheritance, Hal is part of the relational segment in question, and
the FAQ in question has a context_id pointing to the course. It's BEAUTIFUL!
General Roles API
These are fairly straight-forward:
- dotlrn::user_add user_id
- dotlrn::user_remove user_id
- dotlrn::guest_add community_id user_id
- dotlrn::guest_remove community_id user_id
Access Control API
- dotlrn::user_can_browse_p ?user_id?
- dotlrn::require_user_browse ?user_id?
- dotlrn::user_can_read_sensitive_data ?user_id?
- dotlrn::require_user_read_sensitive_data ?user_id?
- dotlrn::user_can_read_community_type_p community_type ?user_id?
- dotlrn::require_user_read_community_type community_type
?user_id?
- dotlrn::user_can_read_community_p community_id ?user_id?
- dotlrn::require_user_read_community community_id
?user_id?
- dotlrn::user_community_member_p community_id ?user_id?
- dotlrn::require_user_community_member community_id
?user_id?
- dotlrn::user_can_admin_community_p community_id
?user_id?
- dotlrn::require_user_admin_community community_id ?user_id?