Authorize
Authorize is a system for working with users, groups, and permissions to determine whether actions are allowed to be executed. The authorize interface is also used to create users, grant or revoke permissions, and establish groups. Authorize closely relates to Authenticate and Access, which are prerequisites for authorization.
In order to grant permissions, the authorize interface breaks allocation down into three parts: the subject, the action, and the object. The subject is the user, such as a person. As the action is being permitted, it is referred to as the permission. The object is any thing on which an action is performed, such as a page or comment.
Grouping
Authorize uses grouping to manage both users and the objects on which the user is acting. For example, a user may be in the group administrator and a webpage may be in the group website. Permissions are therefore granted between groups, such as the permission "edit page" would be set from administrator to website. Users themselves are also groups, allowing objects to be assigned to them (implying ownership).
Non-cascading
The authorize interface does not use a cascading style of permissions, meaning that objects in a group without permissions will not be allowed any actions. Implementations that use a cascading style of permissions generally require a more complex level of understanding. As a result, the interface only establishes grants and does not use the concept of denials.
Verifying Permissions
Searching for permissions begins by checking the current user and group containing the object for the specified permission name.
Permission Prefixes
Permission may have the following prefixes:
- view page - View the rendered page
- review page - Review the page details not otherwise visable
- create page - Create a new page
- edit page - Edit the page
- delete page - Delete the page
Group Tiers
The following groups are created during installation:
world
- user
- collaborator
- contributor
- moderator
- operator
- editor
- administrator