[development] CCK per field CRUD settings, caching complexity

Jeremy Epstein jazepstein at gmail.com
Mon May 29 23:24:11 UTC 2006

On 5/29/06, Bèr Kessels <ber at webschuur.com> wrote:
> However, removing stuff by permission is *always* the wrong way around. It is
> opt-out security, which is close to "not security". If someone is not allowed
> to not see something, it should not even be considered loading. It should not
> be available. Anywhere.

What about if modules (or even themes) need to "see" certain values,
for some kind of conditional logic, but the users aren't allowed to
access them? In this case, your security model either can't be
implemented, or would have to be hacked around; and "opt-out security"
would be a better option.

I've always found that loading all fields into an object is best,
since you never know when you'll need some of them. But then again,
I've never had to deal with field-level access control.


More information about the development mailing list