Skip to content

Separate read / write / publish permissions #4313

Open
Open
Separate read / write / publish permissions#4313
Labels
Improvement
Milestone
4.2
@thorsten

Description

@thorsten
thorsten
opened on May 24, 2026

Part of #3832. Moderate refactor — enforcement is scattered.

Background

Today: separate add_faq / edit_faq / delete_faq / approverec rights exist, but there is no distinct READ gate and no PUBLISH right separate from edit/approve. Enforcement is inconsistent across the ~111 check sites.

Tasks

  • Add rights FAQ_READ and FAQ_PUBLISH to PermissionType (+ migration to seed them and assign to existing roles sensibly)
  • Refactor approval/publish workflow to gate on FAQ_PUBLISH, not edit/approve mix
  • Enforce FAQ_READ in FAQ display + Faq.php SQL generation
  • Centralize: keep all checks flowing through hasPermission*
  • Backward-compat: existing installs must keep working after migration

Acceptance criteria

  • Read, write, and publish are independently assignable rights
  • A user with write but not publish can edit but not make content live
  • Permission evaluation centralized; no scattered ad-hoc checks
  • Migration preserves current effective permissions for existing users
  • Tests cover the read/write/publish matrix

Metadata

Metadata

Assignees

No one assigned

    Labels

    Improvement

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions