This could hook into either LDAP or PAM to use system credentials. If we do this, requiring https for login would be essential. (* This now does a lookup in LDAP to authenticate people -Art)
Where should lists of who can do what be stored? LDAP? http://uk2.php.net/manual/en/function.ldap-bind.php (* It fetches the list of the users groups to be used for access levels -Art)
It might be nice to allow presentation of credentials through HTTP basic auth. This would allow creation of limited-access RSS feeds for example. Pear has Auth_HTTP for this. (basic mode auth generally sucks, so this could be a special feature of the rss component -Art)
Things that need protecting, and the levels of access which might be required:
- Posting front-page announcements
- Member details: browse, add/edit, editing your own details?
- Library: browse, loan, edit
- Bananas: browse, award
- Blogs: posting to your own blog, adding comments ...
- GuestNet?: adding your own MAC, ...
- Managing permissions?
- Forum: browse, post, moderate, admin
- Projects - svn, trac...
- Links: adding, approving