After studying Drupal's access control system I think I've sketched out a design that would add a lot of power and simplify a few things we have today.
Users would be associated with "realms" (via the DB and dynamically) and each realm would offer visibility to particular entities. This allows entities to be in multiple realms, and the realm membership would replace relationships as well (no need to keep two lists in sync for groups). Nicely, user roles would map right onto realms, too.
(Really there's no reason we couldn't use the ACL schema to hold relationships today, but that would not give us multiple access levels, so if we're taking on such a big change we may as well get everything we want.)
Only to some extent could we make the existing access API translate to a multi-value system, but if this is ever going to be possible we should start thinking about it.
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by Raül Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- Evan Winslow@ewinslow

Evan Winslow - 0 likes
- Steve Clay@steve_clay

Steve Clay - 0 likes
- Steve Clay@steve_clay

Steve Clay - 0 likes
You must log in to post replies.How would you do reverse relationship queries? Like groups I'm a member of instead of just members of a group?
You would search realm_members for the user JOINed with realms where realms.name matched /^member\d+$/.
So to get rid of the clunky regex we'd add a realms.target_guid column. So a group member relationship would be defined by realm (name=member, target_guid=123) instead of (name=member123). This would make realms more or less just like the current ACL table, which makes sense.
@Evan I've updated the schema separating realm types from targets. So "member123" becomes (member, 123) and no need to parse strings.