How will tag permissions work?

Dominion

I've been thinking about the eventual transition to Flarum, and have come up with a couple questions.

My first question is about private discussions. Our current esoTalk setup relies on private conversations rather heavily, so I'm concerned about how easy it will be to transfer that existing data to Flarum. I know private discussions will be handled by an extension (which I'm hoping will be available at release, or not too long after). And I know that you're planning to provide a way to migrate from esoTalk to Flarum. My question is, will the migration method be able to convert esoTalk private conversations to Flarum private discussions without issue?

Second, I'm wondering about how the conversion from channels to tags will work. Our current setup involves some nested channels with group-based permission settings designed to manage the flow of information. I realize that the nesting may not be possible with Flarum's tags (at least, not without some sort of extension to modify how tags work), so I've been thinking a bit about how I can use tags to achieve something close to our current setup.

I suspect the answer to my question will depend on how permissions work in Flarum. What happens when a discussion is marked with two tags, one of which permits access to a user group and the other denies access by the same user group? That sort of thing. Have you got any documentation relating to how permissions work yet? If not, no hurry ... just wondering.

Toby

Dominion will the migration method be able to convert esoTalk private conversations to Flarum private discussions without issue?

Yes. Of course, none of this will be ready for the beta.

What happens when a discussion is marked with two tags, one of which permits access to a user group and the other denies access by the same user group?

As you would've seen in the admin permissions interface screenshot that's floating around (or in Berlo's sandbox), you can restrict permissions per-tag. The way it currently works: If a discussion has a tag that is restricted, then the user must be able to see that restricted tags in order to see the discussion. If a discussion has multiple restricted tags, then the user only needs to be able to see one of the restricted tags to see the discussion.

This logic isn't set in stone, though. I haven't really considered the use-cases in great detail. Let me know if you have any thoughts.

Kulga

Toby If a discussion has multiple restricted tags, then the user only needs to be able to see one of the restricted tags to see the discussion.

Access control is often done with default allow/deny policies (analogizing from iptables here)

Default Deny
Default Allow

Default Deny would be the above logic. If they have access to any of the permitted tags, they should be able to see the discussion. Otherwise, they may not see the discussion.
Default Allow - A user should be able to see all discussions unless there is a tag the user does not have access to, then they should not be able to see the discussion.

There's nothing right or wrong about either. Normally, default deny is considered "more secure" as opposed to default allow since you must explicitly define a tag saying it's ok to see this discussion - rather then defining tags to prevent access. This goes back to the opening the door a crack versus barricading a open door.
In default deny, saying a user has access to tag [N] would be akin to a -j ACCEPT. In default allow, saying a user does not have access to tag [N] would be akin to a -j DROP. Because of that, you should specifically choose groups of users that can see certain tags in default deny, and specifically choose tags that groups of users should not be able to see in default allow.
Different policies for different use cases. Because of this, being able to choose between the two would be awesome - if only for the fact it permits very fine grained logic. However if implemented - I feel this would fall squarely in the advanced section of any configuration.

Dominion

Toby Thanks for the explanation.

I'm thinking of my current esoTalk site as a sample use case. We've set up nested forums in such a way that access is gradually restricted in some cases. For example, we've got these two forums:

Site Development
Event Planning

And we've got two user groups, Site Team and the Events Team. The Site Team can access stuff in both of the above forums, but the Events Team can only access stuff in the Event Planning forum. Now, that forum is further subdivided into the following sub-forums.

Event Proposals
Event Menu
Event Preparation
Event Feedback

Anyone who belongs to either of the two groups can access stuff in the Proposals and Feedback sub-forums, but the other two are restricted. You need to be a member of a third group (Event Leaders) to post anything in the Event Menu sub-forum. And only members of the Event Leaders group can start a thread in Event Preparation, but anyone can see a thread in that forum can respond to it.

There's much more to it, but that gives you the general idea.

Since Flarum allows nesting of tags, we can use that functionality to organize information in something approaching what we've done with our esoTalk site. At least, close enough for jazz. However, your description of the permissions makes it sound as if we'd have a hard time restricting permissions gradually the further you go in.

@Kulga makes some very good points, but from the standpoint of giving admins maximum flexibility with a minimum of configuration, it might be a good idea to AND the permissions on tags rather than OR them as the default behavior.

Kulga

I'm liking the AND / OR analogy better here.
My default allow / deny is under the assumption that it's impossible to direct every packet manually in a firewall
However, a forum user can make individual decisions per thread.
It seems the conclusion (so far) is to change the current default behavior from

Toby If a discussion has multiple restricted tags, then the user only needs to be able to see one of the restricted tags to see the discussion.

If a discussion has multiple restricted tags, then the user must be able to see all restricted tags to see the discussion.

There must be behavior for nested tags though. If a user is part of a group that has access to a nested tag, they must be given privileges to all parent tags. This shouldn't apply the other way around though.

For example
Structure of

Earth
- Rock
Ice

To access a discussion with tags of Rock and Ice, user Foo must automatically be able to see all discussions with tag of Earth if they are permitted to see Rock
There also should be identification of who can see a discussion when selecting these to make it clear who will be able to view it. maybe I'll make up my impression of a way of doing this (visually, I wish I could code in php :\)

Also, this discussion really does need to have its title changed. It is very little about migration then core permission structure.

Dominion

I just thought of another factor to throw into this discussion...

Permissions-related behavior needs to be intuitive from the user's perspective as well. So let's say the admin creates a "Site Team Only" tag and restricts access to registered members only. And he puts that in the tag description:

Conversations with this tag can be accessed by Site Team members only.

And let's assume a user chooses that tag, reasonably assuming that the thread would not be visible to forum members who aren't in that group. But he also chooses to add a secondary tag that restricts access to registered forum members, simply because that tag seemed appropriate to the topic. As a result of the OR, he ends up exposing content meant for the Site Team alone to the entire forum!

From this perspective, as well, the AND might be a better choice...

@Toby, perhaps it would be a good idea to change the title of this discussion to something relating more specifically to permissions? As for my migration-related question, I'm relieved by your response ... and of course I wouldn't expect that to be ready for beta. 🙂

Kulga

Dominion Conversations with this tag can be accessed by Site Team members only.

Perhaps - speculating - some kind of permissions indicator saying "X Y Z and registered members will be able to view this discussion"

Dominion

Hmm ... you mean in the tag selection screen? That's an idea...

However, I think I'd still push for the AND logic as opposed to the OR. It seems to me that allowing permissions settings to be negated by something as simple as the selection of another tag could lead to all sorts of trouble. It would be best to compare the permissions of all tags involved, and use the most stringent ones.

Remember, too, that moderators will be able to change tags after the fact. They'd need to be provided with a similar indicator (perhaps a confirmation dialog of some sort?) or you'd end up with a situation where even the moderators could inadvertently expose content to an audience it wasn't meant for.

Kulga

Dominion AND would permit nesting... but would be really annoying unless it automatically added parent tags.
If in a AND setup, I suppose users would accidentally block people from seeing discussions and in a OR environment, people would accidentally let people see discussions.
In a average use (that's a greedy phrase that doesn't say much) which is the lesser evil?
IMO, AND seems less evil

Dominion

Kulga IMO, AND seems less evil

I agree ... a moderator could fix things so that the accidentally blocked people can eventually get access. Whereas there's no way (short of a MIB-type device 🙂 ) to remove content from the minds of people who've accidentally been allowed to see it.

EDIT: Neuralyzer! That's what they called it. 😃

Dominion

Kulga Also, this discussion really does need to have its title changed. It is very little about migration then core permission structure.

Fortunately I now have the ability to do that! 🙂

Kulga To access a discussion with tags of Rock and Ice, user Foo must automatically be able to see all discussions with tag of Earth if they are permitted to see Rock

Yes, the AND logic implies that the parent must always be more accessible than the child; that's a limitation of that logic, but one that's not too hard to deal with. While conversely, with the OR logic you can never have a more restricted child nested inside a less restricted parent. The less restricted parent's permissions would end up trumping those on the child.

One consequence of this (which occurred to me only yesterday) is that admins would be forced to avoid nesting tags with restrictive permissions, meaning that they could end up having to create more primary tags than they would otherwise. The only alternative to this would be to use the same permissions for both parent and child, which is rather large lack of flexibility.

So with regard to nested tags (completely ignoring the possibility that other, non-nested tags might be added) the AND logic still tends to sound like the better option.

Toby

This is an old topic, but it was way down on my list of topics I need to reply to. And I decided to start from the bottom today. So here I am, finally. ?

Just wanted to state that the current behaviour of tag permission logic is actually AND. (I think – my brain is a bit of a blur at the moment.) To give an example:

If you have two restricted tags:

Admins-only: only visible to admins
Mods-only: only visible to admins + mods

The permissions work as follows:

A discussion in the admins-only tag will only be visible to admins.
A discussion in the mods-only tag will only be visible to admins and mods.
A discussion in both the admins-only and mods-only tags will only be visible to admins, NOT mods.

All good?

jacko

Toby A discussion in both the admins-only and mods-only tags will only be visible to admins, NOT mods.

That makes perfect sense. This way you won't accidentally show things by adding another tag to a discussion.

Dominion

Yes, I like the AND logic better. Much easier to deal with.

Toby If you have two restricted tags:

Admins-only: only visible to admins
Mods-only: only visible to admins + mods
The permissions work as follows:

A discussion in the admins-only tag will only be visible to admins.
A discussion in the mods-only tag will only be visible to admins and mods.
A discussion in both the admins-only and mods-only tags will only be visible to admins, NOT mods.

I'm guessing that tag visibility also works the same way? That is, you wouldn't want to (or, better yet, even be able to) make mods-only a sub-tag of admins-only, as that would prevent the mods from accessing their tag.

ron_jeremy

Toby A discussion in both the admins-only and mods-only tags will only be visible to admins, NOT mods.

What am I missing here? Why even bother selecting the Mods tag in this example?

Dominion

ron_jeremy Consider a scenario where admins-only is a sub-tag of mods-only.

... You'd have to select mods-only in order to be able to select admins-only. ?

(Granted, in that case you'd probably want to call it staff instead of mods-only. ? )

ron_jeremy

Dominion Ok that makes sense.

Dominion

⬅ Is not a programmer, but can sometimes manage to think like one for short periods of time. ?