[drupal-devel] Core Folksonomy: First Code Available

Morbus Iff morbus at disobey.com
Tue Mar 15 23:35:06 UTC 2005 

> One suggestion: Should there be a conditional statement to trivially ignore
> community terms that are empty after the trim() call, in order to reject
> empty terms created by strings like "cat, dog,, fish, snake"? (I didn't look
> to see if the core already took care of that; I just didn't see it in your

Excellent. Yes, that's something that'll need to be added. (I suspect 
that if a blank value was sent to taxonomy_save_term, that module would 
croak, but I'm not entirely sure how the error would escalate upwards.)

Besides further integration, the next thing I'm thinking about is user 
permissions (and I admit to not giving it alot of thought until this 
paragraph, so I may "solve" it by the time I'm finished).

I've got to see what happens when a non-admin user logs in and creates a 
  node they have permission to. I /think/ the new code will function 
properly, but I suspect this is exploitable:

  * To ensure that the right community defined terms are added to the
    right folksonomy (thus ensuring multiple folksonomies on one
    site could remain independent, much like normal taxos [normal
    taxos use the unique tid so knowing the vid isn't important]),
    the vid is included in the node form:

     edit[taxonomy][vid][2]
     (note: "vid" will change to "community")

    This seemingly allows someone to make their own local form,
    change the vid to a controlled vid, and add a new term to
    a vocabulary that has not been designated community created.

I'm not sure what the best way to handle this is.

The easiest, but still error-prone way is to ensure that the $vid passed 
has $community enabled. This would require an additional lookup for 
every vocabulary attached to a particular node on taxonomy_node_save. 
Then, the user could only "corrupt" community-created folksonomies 
(where "corrupt" is loosely defined as "maliciously doing what he's 
already allowed to do"). But, see below.

The other alternative would be a brand new taxonomy permission:

  * add new terms to community-created taxonomies

Thus, you'd be able to create tiers of folksy users: all users can 
create nodes but group A can create new terms and group B can't. The 
downside of this is that the next "obvious" step would be to have a new 
permission PER community-created taxonomy: group A can create new terms 
in 'Folksonomy Tags', group B can create new terms in both 'Folksonomy 
Tags' and 'Another Example'. I can certainly see that being useful:

  * "gallery uploaders" can create new tags in 'Image-Only Folksonomy'
  * "music uploaders" can create new tags in 'MP3-Sharers Anonymous'.

but I'm not entirely sure if I'm just being pie-in-the-sky.

-- 
Morbus Iff ( i know a little of everything, a lot of nothing. )
Technical: http://www.oreillynet.com/pub/au/779
Culture: http://www.disobey.com/ and http://www.gamegrene.com/
icq: 2927491 / aim: akaMorbus / yahoo: morbus_iff / jabber.org: morbus

More information about the drupal-devel mailing list