[development] CCK per field CRUD settings, caching complexity

Bèr Kessels ber at webschuur.com
Mon May 29 12:18:09 UTC 2006

Op maandag 29 mei 2006 12:32, schreef Adrian Rossouw:
> (roles is just one way to split it, a prime  
> example is social networking, where
> people in your friends list have more view access to your profile).

This is, in fact, the main reason why I need this code :)

However, removing stuff by permission is *always* the wrong way around. It is 
opt-out security, which is close to "not security". If someone is not allowed 
to not see something, it should not even be considered loading. It should not 
be available. Anywhere. 

What you propose is indeed the fastest and simplest road to what I need. But 
it is also opt-out security. Wich is ALWAYS a bad decision. It WILL result in 
fields showing up where they should not (vs: fields do NOT show up where they 
should), this is murpys law, but one that should definately be taken into 
account zhen developing something. And security: having something show up by 
accident may not seem like a big deal to any of you. But imagine upgrading 
some (bad coded contrib) module and then to find out that you've had your 
customers creditcard details open to the world for a few days? Such things 
happen. They happen when you use opt-out security. The bad-coded module 
should be coded better, sure. But it should not have received the data in the 
first place. 

Still, as it is, the other alternative is bad, or no caching. Ill have to 
choose one of two bads. 


More information about the development mailing list