Thread

What are people doing when they have business models or systems that demand more than just simple user management?

For example, I’d like to filter my content by category for my users (users have access to some or all categories of content from a specific set of categories). Users see the same channels but different variations of the content in said channel(s). One approach might be to do this based on user groups, but you quickly run into the brick wall of one group per user.

Another scenario is that perhaps you allow downloads of files on your site but only to specific users. How can you maintain this list of users in a modular and reusable way other than to use a group and base permissions on membership in that group?

A poor approach would be to create groups that have overlapping permissions (category1Group, category1And2Group) but you can see how this quickly becomes ridiculous and inefficient—the number of possible permutations of permissions is huge.

Groups lend themselves naturally to doing this type of user subsetting, but the one group per user restriction kills it.

My intention is to build out some EE addon or addons that provide the kind of functionality I’m talking about, but before I embark on that time-consuming task I’m hoping someone can say “Hey, stupid, there’s a really easy way to do this. Just do X, or so and so module already does this.”

It seems to be like there is a fairly elemental piece of functionality at the heart of what I’m talking about that really opens the doors for a far more sophisticated level of user management.

Thoughts? Thanks!

I wouldn’t say there is an obvious easy way to accomplish what you are after.

Over the years I’ve seen solutions for bits and pieces of more fine-grained permissions:

http://devot-ee.com/add-ons/entry-permissions/
http://devot-ee.com/add-ons/linklocker/

Etc.

There have also been a number of feature requests for more fine-grained permissions, multiple groups per user, etc - but my impression from some comments from one of the early EE developers was that the work required to get EE to do this was quite significant, having to touch almost every layer of EE’s data and logic.

That there have been so many request for it and no available solution seems to confirm it - but who knows, maybe you’ll discover the easy way to pull it off.

I was afraid of that. Thanks for the reply!

There are a number of established ways to implement Access Control Lists for Codeigniter that you might want to check out (if only for the theory) before developing your own solution for EE. A lot of CI devs use the Zend ACL class (you can easily use this with CI).

Personally I prefer role based access control (because I think permissions should be meaningful rather than being assigned to a low level object directly). I wrote a simple implementation for CI where users belong to one or more roles. Roles are collections of permissions (things the user can ‘do’), and users can be assigned one or more of these roles; so roles are like a template for commonly assigned permissions. Users can also be assigned permissions directly. Users inherit permissions from their assigned roles but user-assigned permissions take precedence over role-inherited permissions. This allows for a high level of flexibility when determining who can do what.

In EE roles and groups are conflated into one concept, ‘groups’. For me groups are collections of users with a common interest or purpose (they belong to a particular company, team, department) but who may have different common roles (author, editor, buyer).

Anyway, just some things to consider 😊

Mark,

Thank you for the cogent and detailed reply.

I was actually thinking along the lines of roles, but didn’t want to cloud my original post explaining my thoughts on how roles differed from groups 😊

You’ve given me an idea though (an idea reinforced by what I’ve discovered so far looking through hooks and code). Rather than alter EE to accept multiple groups instead of a single group, the sanest approach might be to supplement it with an entirely additional system of roles. I have a pretty good idea in my head of how I would design the system, just need to do a little more feasibility research.

Thanks for the food for thought.

I know this is one of the most frustrating features about EE currently for me, especially since EE 2 is missing the plugins that helped EE 1 limp around this limit. Thinking through it, it almost seems an outside role manager ADD-On is the only possible way to handle multiple user groups with out recreating EE. If you could commercialize it, I think there would be a good market for it. I know I’d buy multiple copies of it. Hope this journey has gone well for you and curious to hear if you have found any more updates or thoughts on this idea.

I’m looking for a way to limit users to posting entries in specific categories and locking them out of others. Has anyone found a solution for this for EE2?

Thanks!