Realms: The Future of Access Control in Elgg?

After studying Drupal's access control system I think I've sketched out a design that would add a lot of power and simplify a few things we have today.

Users would be associated with "realms" (via the DB and dynamically) and each realm would offer visibility to particular entities. This allows entities to be in multiple realms, and the realm membership would replace relationships as well (no need to keep two lists in sync for groups). Nicely, user roles would map right onto realms, too.

(Really there's no reason we couldn't use the ACL schema to hold relationships today, but that would not give us multiple access levels, so if we're taking on such a big change we may as well get everything we want.)

Only to some extent could we make the existing access API translate to a multi-value system, but if this is ever going to be possible we should start thinking about it.

  • How would you do reverse relationship queries? Like groups I'm a member of instead of just members of a group?

  • You would search realm_members for the user JOINed with realms where realms.name matched /^member\d+$/.

    So to get rid of the clunky regex we'd add a realms.target_guid column. So a group member relationship would be defined by realm (name=member, target_guid=123) instead of (name=member123). This would make realms more or less just like the current ACL table, which makes sense.

  • @Evan I've updated the schema separating realm types from targets. So "member123" becomes (member, 123) and no need to parse strings.

Feedback and Planning

Feedback and Planning

Discussions about the past, present, and future of Elgg and this community site.