Summary
In the acl.auth.php
file does the * have to go at the end of the namespace or can it go in the middle so you can set permission on a page by name rather than by namespace. eg all pages called funstuff
in the policies namespace editable by funstuffteam
would be :policies:*:funstuff @funstffteam 16
Detail
I'd like to automatically set permissions on a set of pages that will be created using the the bureaucracy plugin.
How it should work
1) The user completes a bureaucracy form with details of the new policy they wish to create
2) the bureaucracy form submit action creates a set of templated pages which include
a) the policy details and content
b) fixed parts of the page : eg a disclaimer footer
c) admin parts of the page such as intended audience and approval pages with different permissions
d) a full page (start) that uses the 'include' plugin to pull together all the above parts to create one document eg: {{page>.audience}} {{page>.approval}} {{page>.summary}} {{page>.content}} {{page>:global_footer}}
I want to set up ACLs so that once the page is created
a) the group 'authors' can only edit the content pages eg <policyname>:content
b) the group 'approvers' can edit the pages <policyname>:approval
to add the status of the policy and mark it as approved, reviewed, next review date etc
c) the group 'admins' can edit the pages <policyname>:start
which ties together all the parts
Effectively I'm trying to create a page where different people can edit different parts of the page. I can only see how to do this if I split the page into sections and set acl based on file name
Looking at
Wild cards are only ever included at the end of the line
if I add an entries
policies:*:start @user 1
policies:*:start @admin 16
policies:*:approval @approvers 2
policies:*:audience @admin 16
then I would think that users can read any start file in the policies namespace
admin group have full access to any page called start in the policies name space
the group approvers would have edit rights to any page called approval in the policies namespace
admin group have full access to any page called audience in the policies name space
The questions I have are
- would this work with ACLs with a wild card in the middle of the path?
- is this the best way to create a single "policy" document in its own namespace with all the components in that namespace and granular permissions (ie one sub namespace per document with permissioned pages within one namespace)
- or would it work better if I had a name space for each document component section (so permissions were already set at the parent level) and a page for each policy eg
- policies:approval:policy1,policies:approval:policy2,
- policies:content:policy1,policies:content:policy2,
- policies:start:policy1,policies:start:policy2, etc
- can the bureaucracy plugin create pages in a namespace where the user submitting the form has no permissions?