Dave wrote:
Yes, when Roller is used with an externalized perms system the existing Roller permssions UI should be disabled, do we also need links to the external perms management UI?
Hi Dave,
It'd be nice to have the option, yes. I think the permissions UI stuff might be a little more complicated to externalize, mainly because there are UI aspects of authorization that go beyond management. The most prominent example I can think of is the ability for the authz system to send back a little explanation back to the UI side of things as to why the user is not allowed to perform an action. Right now on Lulu.com, there are some spots that just say "You are not allowed to do that" when someone tries to do something that's not allowed (because I didn't design LPermissionManager properly :-). Optimally, it'd be possible for the authz system to tell the Roller user a little more about why the access was denied, and what steps the user can take to correct things ("To post to this blog, you must first join the FOO group. You can join FOO by clicking >here<")
Also, I just thought of another set of issues that might need a little thought - what happens when people try to mix external authn/authz systems with the Roller internal ones. For example, what if someone wants to use an external authn system with the Roller authz system, or (this is where it gets weird) the Roller authn system with an external authz system? The cases of external+external and Roller+Roller are likely to be the most common cases. I don't think it's necessarily important to support the other combinations so much as be clear about what is supported and what isn't...
Best, -- Elliot
