Rights table

  guest person member owner moderator administrator developer
Rights Table
write thought in a open group no yes yes yes   yes yes
write though in a closed group no no yes yes   yes yes
edit thought no no yes yes   yes yes
tag no yes yes yes   yes yes
edit tag no no yes yes   yes yes
comment yes yes yes yes   yes yes
delete comment no delet own comment yes yes   yes yes
change group password no no no yes   yes yes
hide comments         yes yes  
… many more              
               
               
               
               
               

Tags

  1. rights
  2. rentonfoodcoop
  3. right change-data
  4. thought 19830

Comments

Seth says
seth 2016-02-01 07:19:42 [item 19801#44115]
i could make a table … colums could be: guest, person, member, owner, administrator … then vertically we could list the various prividledges, like commenting, deleting thoughts, deleting cments, changing things, editing tags, etc, etc …. good idea idea ?
Yes! Good idea. I actually added the feature yesterday. It’s called “rights” and is stored under quads/user and right now the only actual right is right-edit-scripts which is a very high level right for only super trusted people. It allows creating live pages, like admin pages and test pages. The right’s feature is fully integrated with editing and display now. And it would be good to start a table of rights.

For instance, go over and try to edit thought 19812  
Holmes says
Looks like the table was filled in a lot since I was last here. There was no comment or repost to that affect yet. So far looking pretty good. As long as we understand that it is the combination of rights that makes someone an administrator, or guest, etc, and not a right-guest and such, then this is the right path.
Holmes says
nathan 2016-02-01 16:10:11 [item 19830#44204]
Okay. Not sure I understand this. There is lots of good information on the web about assigning good user rights and I have been through this before with other groups, including at Microsoft, and I went through the very painful wordpress rights switchover 2 years ago as they fixed that their rights had grown out of control and were nearly unmanageable. This nearly always happens once user rights can be created … they quickly grow out of control and become a management and software nightmare as they soon become ambiguous and inclusive and exclusive in unpredicted ways.

Some simple guidelines to prevent this are:

  1. Only create a right to give access to a feature. Period and double period.
  2. Do not combine features that have or could have their own rights into another right.
  3. Never assign rights to represent a group of people, only to distinct features that a person has the right to access or not. Handle groups by batch assigning feature rights as appropriate to people.
  4. Do not allow rights to features to overlap. Each feature must be distinct.
There is much more in the literature, but these rules cover the gist of it. For instance, there should not be an administrator right. Rather, a full administrator should have all rights assigned to that person. There should be a right-delete-group and a right-reassign-password and so forth that administrators should have. The one existing right-edit-scripts is in line with these requirements.
seth 2016-02-03 10:43:30 [item 19830#44450]
i think i understand this yes.

except perhaps …
(3) Never assign rights to represent a group of people, only to distinct features that a person has the right to access or not. Handle groups by batch assigning feature rights as appropriate to people.

Certainly we will not be going to each administrator and issuing them specific rights … will we?   I would expect that we simply say (in essence)  in the quads,  John isA  Administrator.   Then say, Administrator hasRights a, b, c, d.   or instead must the quads record that:  John hasRights a, b, c, d.  and Jim hasRights a, b, c, d, e.  ??
dA 2016-02-03 10:53:43 [item 19830#44453]
Yes. This is handled in the software. The end result is that a set of rights gets assigned to create an administrator etc. It’s not that we can’t have an administrator checkbox which assigns all rights, and so forth for any virtual entity, its that we can’t have an administrator right in the actual quad tables that attempts to give all rights. Many developers try to do that with rights because it seems like a really nice shortcut but it ends up not working soon down the road.
seth 2016-02-03 11:02:38 [item 19830#44456]
well i can see that a quad {administrators haveRights ALL} is not desirable.   beyond that i don’t grok your distinction.
Okay. It took me plenty of time and painful wrong paths to form a distinction myself. That’s why I say as long as you understand how to apply each of those 4 rules based on their description, then it will be the path that works and grows well. I don’t have enough words to describe all the nuances of why. It is a full day course when it is taught in IT school.
Seth says
dA 2016-02-03 09:56:31 [item 19830#44435]
One reason there is not a rights editor yet is that this is still in flux. For one thing, I want to be very sure you understand the last comment. Not just read it, but fully understand it, even if more dialog is needed. I have been down this road so many times I want to make sure it is the right road and people understand, if not why, at least how to stay on it.
seth 2016-02-03 11:35:07 [item 19830#44459]
are you saying that there will be a dialogue form that pops up for a person … and on that form we check the various rights assigned.  when a guest becomes a person that would get some default settings copied into their personal quad.   same when they become a member of a particular group – they would inherit the additional rights defaults already granted to that group.   same for joining an administrator’s group.  

at any time an administrator (or maybe even a group owner) could go to the individual’s settings and customize the person by clicking whatever right on/off which the want to change.  

??
dA 2016-02-03 11:53:45 [item 19830#44463]
Yes for all the stuff that applies to person including clicking changes in administrators group.

No for anything that was about groups. I do not plan to give groups rights or intermix group and user rights in any way. Group access is controlled by one thing, the password to the group. Group settings and features are controlled on the group settings page. There is now and can still be a root user for the group that has full control, but this will not be a system wide right, just a designated user for that group, or a designated password for the root user, I don’t really care which. Right now it is the user with the same pen name as the group name, but that will obviously have to change.
seth 2016-02-03 12:08:09 [item 19830#44467]
yes okay.  so ...

there will be a author’s rights setting page … that can be accessed by the author himself … and administrators.

and …

there will be a group rights setting page … that applies to everybody who has a password for the group … and which can be accessed by the group owner … and administrators.

??
dA 2016-02-03 12:17:02 [item 19830#44468]
It would be okay in the model to create author rights for any atomic group feature, such as right-add-group-thought, but these would apply to an author in all groups, not one only. I don’t see that we need any ability to match up author rights with particular groups. It might look attractive, but there is hardly anything that doesn’t already work well with your password based model and that is so much easier to manage and program for. It’s a good model. A author to group mapping would be an entire new level of security and would not double, but actually quadruple the code checks. It’s an A * B situation not A + B.
yes ok got it
Seth says
seth 2016-02-06 08:45:19 [item 19830#44778]
this table looks 100% better now … it reflects my original intention yes
dA 2016-02-06 08:52:45 [item 19830#44780]
Yes. It actually looked good in many of my other tries too (never saying the original looked good). But, I couldn’t find a happy medium between all the things a person could do in the table editor and looking good on the screen … so I went with the default HTML.

p.s. would look a ton better if you set cell spacing to zero too!
seth 2016-02-06 09:10:13 [item 19830#44783]
hmmm …. gonna try that … to be honest with you … bozo blushing here … i don’t really know what cell spacing does.  now border width and cell padding … those are really the things i think about.
ok got it … actually all the attributes work quite well now … all see useful to me …. especially the ability to insert and delete rows and columns … coldnt do that in fb1 at all. 
Seth says
seth 2016-02-06 08:45:19 [item 19830#44778]
this table looks 100% better now … it reflects my original intention yes
dA 2016-02-06 08:52:45 [item 19830#44780]
Yes. It actually looked good in many of my other tries too (never saying the original looked good). But, I couldn’t find a happy medium between all the things a person could do in the table editor and looking good on the screen … so I went with the default HTML.

p.s. would look a ton better if you set cell spacing to zero too!
seth 2016-02-06 09:10:13 [item 19830#44783]
hmmm …. gonna try that … to be honest with you … bozo blushing here … i don’t really know what cell spacing does.  now border width and cell padding … those are really the things i think about.
dA 2016-02-06 09:17:07 [item 19830#44786]
Cell spacing is the space between cells and it’s what pushes the cell blocks apart like that. It doesn’t have a counterpart in any other tabular system than HTML. it doesn’t even have a css setting. It not just a spacing issue either, it causes heaver lines around inner cells and lighter lines around outer cells and lots of visual quirks in table display. There is a css value called border collapse that tries to fix it, but it doesn’t work right with attributes in all cases. Tables don’t really need cell spacing, cell padding would do everything needed just fine. Cell spacing is the fly in the works.
like
Seth says
just noticed that there are all kinds of cell styling in this RTE too.   i hesitate to even use them.
Seth says
in the current case with coopers … i trust all the members of the steering committee to have the ability to change this data.   i am not so very sure i should trust them with general scripting abilities all over the domain.  
Si says
Seth 2016-03-24 10:24:34 [item 19830#50243]
the question in coopers right now is how does the itGuy grant the treasurer and others clerks the right to edit the membership table?   The was it is now i have granted everyone who is in the steering committee the right to see the table … see http://td.rentonfoodcoop.com/steering

but the only way i know how to let the treasurer edit is to grant him scripting rights.   is that the only way right now?
nathan 2016-03-24 10:28:18 [item 19830#50244]
It is. And that would be a very bad idea.

We have not had this need before … but in the general rights scheme it is provided for. Extra rights can be assigned to individuals and to individuals on a group basis and test for in scripts. Only have to decide what they are and what they mean … and then carefully edit the JSON rights object using the quad editor. At leas the JSON editor helps you to not make mistakes.
Seth 2016-03-24 10:34:24 [item 19830#50245]
in this case i think it is clear … we need a right to change-data in a specific thought which can be assigned either to an individual or to a group.

not something that i know how to make happen.

 
nathan 2016-03-24 10:39:27 [item 19830#50246]
Yes. I can show. But not clear on what you mean by a specific group. For instance, rights can be given to a physical group, or to individuals in respect to that group … but they cannot be assigned to a group of people as a group by any single right assignment. That functionality will someday be accommodated by a rights editor which will be able to batch apply to users.

So I don’t know of which of those 3 ye doth need.
Seth 2016-03-24 10:58:14 [item 19830#50247]
well simplest way is for an itGuy to grant “change-data-right” for a specific thought to specific individuals.   and that would totally work right now and quite a bit into the future. 

at some point it will become too much busywork.

so thinking out loud here …

SiriTD defines a “physical group of individuals” as any individual who has joined a specific group, like for example group steering over on coopers.  So we could state a quad which grants “change-data-right” to everybody who has joined group steering.   But  in this case it might be better to  create another group containing other thoughts and just grant “change-data-right’ to the whole group of individuals for all the thoughts in that group … and only those individuals who were tasked with maintaining the data would be invited.  

So to cut down on the busy work, this all can be controlled by assigning rights to all thoughts in a group to all individuals who have joined the group.   I have actually administered a couple of Novell networks with quite a number of groups and individuals involved and that scheme worked quite well. 
nathan 2016-03-24 11:09:32 [item 19830#50248]
Okay. The part about assigning a specific right to an individual, and making that right active only in a group, is very doable.

The part that is less clear is when you talk about “signed in” because rights actually don’t work that way. Rights are a relationship between an individual and a group and are independent being signed in or not. Being signed in is actually added virtually as another right when you are signed in so that it can be identified and checked by the same hasRight() method.

Not arguing or saying how things should be. Only trying to figure out how to do what you need in this as it is.
Seth 2016-03-24 11:21:56 [item 19830#50249]
ok, “signed in” is not the criteria.   the criteria is whether the individual is a member of the group.  and they are a member of the group iff they have ever successfully joined it.   ok?
nathan 2016-03-24 11:29:27 [item 19830#50251]
Actually not exactly. The only concept of being a member we have right now is being signed in, and in respect to rights, that adds a right that says you are signed in. Rights also have the ability to associate any given right between an individual and a group. This is independent of being signed in. Furthermore, a right can be acquired by a group simply by “being in” the group … i.e. navigating it … such that when you press the home button, you will be at the top of the group room, and the group is showing in your group menu item.

So really, these are three completely unrelated ways you could be said to “be in a group”.
Seth 2016-03-24 11:43:20 [item 19830#50252]
ok … i think i know what you are saying here …. i’m going to see if i can document that in a thought so as to leave a more permanent trace smug.  

in the meanwhile having the ability to assign “change-data-right” to the steering group would solve my immediate concerns.  and, of course, making that work in respect to the thought http://td.rentonfoodcoop.com/item/44
?
Si says
Seth 2016-03-24 13:44:08 [item 19830#50259]
so are rights actually specified only for the pair (individual, group) ?

if so, are wild cards allowed in each element of the pair … eg (*,group) or (individual,*)  … or even (*,*) ?
Rights are paired yes, but wildcards no.

Rights are compiled and then applied to the page body as classes. This is extremely efficient and versatile and allows page components to be hidden and visible and to perform differently simply by affecting and controlling their CSS. This hugely simplifies many things … but would not lend itself to wildcards.
Seth says
nathan 2016-03-24 14:36:11 [item 19830#50261]
Done. More at thought 20664
?

See Also

  1. Thought Selling our Produce at the Farmers Market 9/13/2016 with 179 viewings related by tag "rentonfoodcoop".
  2. Thought Letter of Invitation To ... with 53 viewings related by tag "rentonfoodcoop".
  3. Thought Socrates Cafe with 35 viewings related by tag "rentonfoodcoop".
  4. Thought Renton Food Co-Op ? with 26 viewings related by tag "rentonfoodcoop".
  5. Thought Renton Food CoOp Meeting 11/17/2016 with 26 viewings related by tag "rentonfoodcoop".
  6. Thought CoOp meeting Wdenesday 28 2016 with 17 viewings related by tag "rentonfoodcoop".
  7. Thought Thinking Domain Quads with 13 viewings related by tag "rights".
  8. Thought Existential Problem with Renton Food Co-Op with 12 viewings related by tag "rentonfoodcoop".
  9. Thought The Mentography of Rights with 11 viewings related by tag "rights".
  10. Thought meeting 11/12/2014 with 6 viewings related by tag "rentonfoodcoop".
  11. Thought about: The Right's of Photographers (when shooting in public places) | static photography with 5 viewings related by tag "rights".
  12. Thought Meeting 9/8/2015 with 5 viewings related by tag "rentonfoodcoop".
  13. Thought RENTON FOOD CO-OP STEERING COMMITEE MEETING 2-9-16 with 5 viewings related by tag "rentonfoodcoop".
  14. Thought Sustainabel Renton Notes with 5 viewings related by tag "rentonfoodcoop".
  15. Thought about: U.S. Seeks Silence on CIA Prisons with 4 viewings related by tag "rights".
  16. Thought meeteing 6/11/14 notes with 4 viewings related by tag "rentonfoodcoop".
  17. Thought Quads for the minions with 4 viewings related by tag "rights".
  18. Thought meeting 8/11/2015 with 3 viewings related by tag "rentonfoodcoop".
  19. Thought Propose a weekly Renton Food Exchange Network with 2 viewings related by tag "rentonfoodcoop".
  20. Thought about: co-op's internet setup makes key peninsula farmer's market more efficient for sellers, customers | the news tribune with 2 viewings related by tag "rentonfoodcoop".
  21. Thought EASY JALAPENO AND KALE MAC AND CHEESE with 2 viewings related by tag "rentonfoodcoop".
  22. Thought General Rights with 1 viewings related by tag "rights".
  23. Thought Meeting 3/12/2014 with 0 viewings related by tag "rentonfoodcoop".
  24. Thought about: chapter 23.86 rcw: cooperative associations with 0 viewings related by tag "rentonfoodcoop".
  25. Thought Website creating tools and services for rentonfoodcoop with 0 viewings related by tag "rentonfoodcoop".
  26. Thought bug: i can think in this close group when i come from the news. with 0 viewings related by tag "rights".
  27. Thought testing please be patient with 0 viewings related by tag "rights".
  28. Thought about: farming is a growing business in cities - toledo blade with 0 viewings related by tag "rentonfoodcoop".
  29. Thought about: previous meeting 3/10/2015 with 0 viewings related by tag "rentonfoodcoop".
  30. Thought info@rentonfoodcoop.org with 0 viewings related by tag "rentonfoodcoop".
  31. Thought meeting 12/10/2014 with 0 viewings related by tag "rentonfoodcoop".
  32. Thought about: meeting 9/8/2015 about: meeting 8/11/2015 about: about: previous meeting 3/10/2015 with 0 viewings related by tag "rentonfoodcoop".
  33. Thought Meeting 9/10/2014 with 0 viewings related by tag "rentonfoodcoop".
  34. Thought Community Cooking Kitchen with 0 viewings related by tag "rentonfoodcoop".
  35. Thought Invitations To The Steering Committee with 0 viewings related by tag "rentonfoodcoop".
  36. Thought about: Grange with 0 viewings related by tag "rentonfoodcoop".
  37. Thought Our Rap ... er, i mean White Paper with 0 viewings related by tag "rentonfoodcoop".
  38. Thought Renton Food CoOp Membership Application with 0 viewings related by tag "rentonfoodcoop".
  39. Thought about: five years, building a culture, and handing it off. - laughing meme with 0 viewings related by tag "rentonfoodcoop".
  40. Thought Meeting 4/9/2014 with 0 viewings related by tag "rentonfoodcoop".
  41. Thought Renton Food CoOp with 0 viewings related by tag "rentonfoodcoop".
  42. Thought meeting 7/9/2014 with 0 viewings related by tag "rentonfoodcoop".
  43. Thought Food Sources with 0 viewings related by tag "rentonfoodcoop".
  44. Thought Renton Neighborhood Associations with 0 viewings related by tag "rentonfoodcoop".
  45. Thought Seed envelopes with 0 viewings related by tag "rentonfoodcoop".
  46. Thought notes from meeting of the steering committed, 3/8/2016, at top pot with 0 viewings related by tag "rentonfoodcoop".
  47. Thought RentonFoodCoop.org Shopping Bags with 0 viewings related by tag "rentonfoodcoop".
  48. Thought Check out our new website design ... with 0 viewings related by tag "rentonfoodcoop".
  49. Thought meeting 5/12/2015 with 0 viewings related by tag "rentonfoodcoop".
  50. Thought the proposed right to have any linkage of my persona within a service to my physical identity removed if I close my account with 0 viewings related by tag "rights".