I'm experiencing some coder's block while trying to plan and develop a system around access controls for our users for a specific project/subsite in our website.
We have 3 groups:
- newsauthors -- can write stories, but not publish
- newsapprovers -- can potentially publish/unpublish stories, may be assigned as approvers (also a member of newsauthors)
- newsadmins -- can assign approvers (also a member of news approvers)
There are also more ad-hoc associations and groups, an author can be assigned approvers, which will create (or update) a group (that group will be called [authorname]Approvers", like aaron.mcdonald@maininator.comApprovers to use an example from the sample content).
I have the creation and assignment implemented, and I even have the mechanism for a user to request their story be published and a the associated approver group is tasked with a workflow step, but I need to be able to restrict access to the publish, and start workflow features for a given story (page) if the user isn't a story's author, or the approver of that author (or otherwise has publish rights).
Currently newsauthors have edit rights for everything under /content/uc/news/articles, and news approvers have replication rights to those areas. I need something a bit more complex:
let's establish 4 users, aaron, boyd, carl, dean with the followiug group memberships:
- aaron and boyd are newsauthors
- carl and dean are newsapprovers
- carl is in aaronApprover
- dean is in boydApprovers, none are news admins
And some content:
- /content/uc/news/articles/2016/05/1.html - author: aaron
- /content/uc/news/articles/2016/05/2.html - author: boyd
Under my current setup, everyone has edit rights to all these pages, because they are all newsauthors. And carl and dean can activate either page, because they are news approvers. However, I need to restrict it so that
- aaron and carl are the only ones with edit rights to 1.html
- boyd and dean may both edit for 2.html.
- only aaron may request replication of 1.html
- only boyd may request replication of 2.html
- only carl may replicate 1.html
- only dean may replicate 2.html
Of course, news admins continue to have full rights to edit/replicate anything.
Are effective permissions on a page-by-page basis my best bet here?
