RSS Feed

Plugin Developer Discussion

Part of the purpose of the Alpha is to interact with real plugin developers and nail down parts of the architecture that are not yet finalized.  The biggest area that we need to make a decision on soon is plugin permissions.

Currently, plugins are allowed to access (nearly) anything by default.  That means if a plugin queries for a list of CBugs, it gets all bugs, not just the bugs that the current user is able to view.  The problem with this is that it means that plugins default to "Full Permissions" mode, and it's very easy to accidentally write a plugin that displays information that the current user does not have permission to view.

The counter-proposal is to have plugins default to "User Permissions" mode, meaning they can access only the data that the current user is able to access.  For example, if a plugin queried for a list of CPerson objects and some CPersons were not visible to the current user, they would get some objects that have properties like
{ixPerson: 14, sFullName : "User 14", sEmail: null, sPhone: null, ...}.

So I put the following questions to you:

1) How did you initially expect it to work?
1a) If you have experience with other APIs, how did they handle similar issues?
2) How would you like it to work?
3) Can you think of any examples in your plugins where you would need to query information that the current user is not permitted to see?

I am not a big fan of Wordpress for a number of reasons, but I feel it does tend to do a number of things well (even despite its PHP background). One of the things it does seem to get right is how it handles this problem.

* plugins have full access to everything
* by default a user's permissions are enforced and the plugin has to explicitly tell WP when doing higher priv actions

An example might be that non-users can't see draft posts, but a plugin can force a draft post to be rendered to the user, but the plug has to make it clear to WP that it wants to break permissions. The result is that without much thought a plugin dev will follow the default rules, but when one needs access to lower level functionality it is available.

I like Stefan's idea of by default using the user's permissions, but still being able to go full permission as required.

This kind of thing would be ideal for working with timesheets, most times a plugin will work with a users data, but when in "manager" mode will be wanting to access timesheet data for all users, or a group defined by the plugin.