I've started sketching out new user and permissions system for v4.
Current system was influenced by experiences from phpBB3 and also my expectation that many things that are features on other forum systems will be achieved here by extreme configurability of permission system.
In hindsight I'll rather have less powerful but easy to reason about system in v4.
Users, Ranks, Roles and Category Roles
User permissions come from roles that are assigned to them directly or to their ranks.
This system is (to my knowledge) unique to Misago, and it's also confusing to reason about. Other forums have concept of users group, which in Misago is muddied by Rank ("primary group") and Role ("secondary group but not really").
In v4 I'll be dropping current system and implementing new one: Users will belong to groups. Each user will always have primary group, and will optionally belong to one or more secondary groups.
Roles will also be dropped, with permissions being specified directly on groups. If you want bunch of users have given permission, you can always create "Have given permission" hidden group and add users to it.
As for category permissions, I will be opting for simple and proven "see category, browse category, start threads, reply threads, upload files, download files" permission matrix known from forums like Invision Power Board.
In other forums "moderator" is a special relationship between user or group of users and category or feature. Eg. user or group of users can be explicitly declared as moderators of selected category.
This is not the case in Misago, where moderator is a user that has set of permissions allowing them more power over some features than other users (eg. open/close threads, pin/unpin, edit/delete other people messages). This makes it powerful (eg. you can make moderator who can only close/open threads), but in hindsight unnecessarily complex system.
This system is hard to reason about, makes UI logic complex and also prevent us from implementing features like category's moderators list in simple way.
So in v4 I'll go proven path, where there will be few ways to make somebody a moderator:
- Explicitly set them "global moderator" flag
- Add them to group that has "global moderator" flag
- Add them to group that is added as moderator to selected categories
- Add them as moderator to selected categories
Moderator tools will not check if user has permission to use given moderator tool. Instead they will check if user is moderator through any of those paths. This will make it much easier to reason about.