Version 4
Created by bernardv on Apr 22, 2004 3:20 AM. Last modified by sgwood on Apr 30, 2004 1:22 PM.

    FAQ Security

     

    Look at NukesSecurity for background on security concepts.

     

     

     

     

    Here is the FAQ module class comments.

     

    /**
 * Security : we have a tree of categories and faq.
 * Categories are the nodes, faq are leaves only.
 *
 * To manipulate a category :
 *
 * ADD-EDIT-DELETE/faq:category:/$name:$id:
 * where $name is the category name and $id, its id.
 *
 * To manipulate a faq :
 *
 * ADD-EDIT-DELETE/faq:faq:/$question:$id:
 * where $question is the question for the faq and $id its id.
 */

     

    The following table outlines the various security tests that the FAQ module performs, and the minimum security level required to perform the operation.

     

    Test String

    Operation

    Miniumum Security Level

    category::

    User can edit categories

    EDIT

    category::

    User can add categories

    ADD

    category:<category name>:<category id>:

    EDIT

    For given individual category, user can:

    edit category

    add sub categories to a category

    add questions to a category

    change a question from one category to another - need permissions on both from and to categories

    category:<category name>:

    User can add sub categories to the given category

    ADD

    category:<category name>:<category id>:

    User can delete individual category

    DELETE

    faq::

    User can edit FAQs

    EDIT

    faq::

    User can add FAQs

    ADD

    faq:<question>:

    User can add to this question

    ADD

    faq:<question>:<question id>:

    User can edit individual FAQ

    EDIT

    faq:<question>::

    User can edit individual FAQ

    EDIT

    faq:<question>:<question id>:

    User can delete individual question

    DELETE

     

    The implication is that any user (anonymous or not) can view FAQs and categories.

     

    Example

     

    Given the following FAQ structure:

     

    Main Category

    Subcategory 1

    Question 1

    Question 2

    Question 3

    Subcategory 2

    Question 4

    Question 5

    Question 6

     

    and users:

     

    User name

    Groups

    Admin

    Admins, Users

    Editor

    Editor, Users

    SpecialEditor

    SpecialEditor , Users

    User

    Users

     

    Allow all logged in users to add to existing FAQs.

     

     

     

     

     

     

    2680 Views Categories: Tags: