01358: Allow specification of authorization groups using references

Summary: Allow specification of authorization groups using references
Created: 2014-11-18 13:38
Status: Open
Category: Feature
From: RandyB
Priority: 4

Description: Imagine a website with hundreds or thousands of user accounts, and multiple authorization groups.

It would reduce the risk of administrative error to allow authorization groups to be defined to include other authorization groups. Group memberships could be resolved when the user logs in, just as if the definition had literally specified all the members of the component groups instead of just a reference to the group.

So suppose I'm a writer, with permission to edit pages, and you're a moderator, with permission to both edit and delete pages. Instead of specifying that I belong to @writers and you belong to both @moderators and @writers, you could add an authorization group called @editors, like this:

@editors: @moderators, @writers

(:if authgroup @editors:) would recognize both of us as being editors, and the only edit permission to assign to restricted pages would be @editors.

Of course, I can already specify both @writers and @moderators as having edit permission. But suppose later I add another type of moderator called @powermoderators. Every page that was authorized to let @moderators edit would have to add @powermoderators to its permissions. Alternatively, every user who is a powermoderator would have to be defined also to be a moderator. Either way, there is redundancy, and thus risk of error and extra work to do when assigning permissions.

This feature could simplify and reduce the redundancy.

RandyB November 18, 2014, at 01:42 PM

See also 01232 (AuthUser groups included in other groups). --Petko November 18, 2014, at 02:55 PM