Deprecate adminonly and simple_acl in favour of acl_user_groups

[ddeboer]

There are now too many ACL options (especially for newcomers to the framework) to choose from.

What about deprecating adminonly and simple_acl or at least strongly recommending to use acl_user_groups? Or does anyone still see good use cases for the older two ACL modules?

[mworrell]

I am for moving the mod_acl_simple_roles out of the core.
We can do the same with the mod_acl_adminonly if (and only if) we have good defaults for that module and clear documentation.
Till that moment I am for keeping the mod_acl_adminonly in the core.

[ddeboer]

I am for moving te mod_acl_simple_roles out of the core.

Good idea. Let’s start there.

for that module and clear documentation.

You mean defaults for acl_user_groups, right?

[mworrell]

Yes, good defaults for the user groups, content groups and some rules.

[mmzeeman]

Do you mean by good defaults also a way to move your resources from simple_roles to user_groups?

[mworrell]

@mmzeeman That could be a support function you can run manually?

[mmzeeman]

Yes of course. We currently have groups via predicates. That would allow us to write an update routine.

On 12 Jan 2016, at 13:54, Marc Worrell notifications@github.com wrote:

@mmzeeman https://github.com/mmzeeman That could be a support function you can run manually?

—
Reply to this email directly or view it on GitHub #1131 (comment).

[ddeboer]

We can start adding default ACL rules now #1173 has been merged.

[ddeboer]

What about the following set?

Group	Content group	Category	Permissions
anonymous	all	all	view
managers	all	all	view,insert,update,remove,link

Group	Modules	Permissions
managers	mod_admin	use
managers	mod_admin_category	use
managers	mod_admin_identity	use
managers	mod_content_groups	use
managers	mod_menu	use

Do we agree about adding this set as fixtures? This does mean they will be read-only on the ACL screen and cannot be altered later. We could optionally place them in a separate module, but that module should then be enabled by default to support the idea of an out-of-the-box set of useful rules.

/cc @fredpook @eminetuzkapan @Dirklectisch

[mworrell]

👍

Also we need to fix #1211

[mmzeeman]

What is the procedure for moving from acl simple roles to the new module?

[ddeboer]

1. Release mod_acl_user_groups with sane defaults and add a deprecation warning when mod_acl_simple_roles is still enabled. Document the deprecation (e.g. 0.15).
2. Remove mod_acl_simple_roles out of the core (e.g. 0.18: 3 months later?).

[mmzeeman]

And what do site owners with existing role assignments have to do to go from one to the other? Is it possible to automate this? Go from simple acl to more advanced acl?

[mworrell]

It might be possible to automate, at least partially.
Most is just changing categories and predicates.

The rules themselves could also be inserted, at least for the category creation and "view all" part.

[ddeboer]

And what do site owners with existing role assignments have to do to go from one to the other? Is it possible to automate this?

It might be possible to automate, at least partially.

True, but I’m not sure it’s worth the effort.

@mmzeeman and other users of mod_acl_adminonly: are you working with large ACL rulesets? How would you feel if we add instruction to the docs on how to upgrade to mod_acl_user_groups (which is now documented properly) but leave the creation of ACL rules up to you?

[mmzeeman]

Yes, I think it isn't worth the effort either. Even moving our sites to the groups acl isn't worth it either. For the moment we can simply use mod_acl_simple_roles as a separate module.