Last night, I committed a small portion of code to the dotProject permissions system which is important enough that it deserves some discussion here. It all stems from a relatively simple question:
What is the difference between 'edit' and 'view' permissions?
Sounds easy, right?
'Edit' permissions allow a user to edit the selected record. If I grant edit permissions to the CaseySoftware company to a user, it means that they can view the related information and edit any of it. They can't necessarily delete it, but they could create Projects, etc.
'View' permissions on the other hand are read-only. A user can't edit or delete the attached information but they can see any of it. But all of this leads to a second question…
Does adding a Project to a Company constitute editting the Company?
Obviously the row in the database corresponding to that Company has not changed but the related information has definitely changed. But it gets even more interesting when a Project is view only but the Tasks can be editted. By adding Tasks of varying durations and dates, I can effectively move the Project record farther from completion or affect the overall start and end dates and potentially disrupt scheduling efforts, etc.
Therefore, I've implemented a set of functions based on a “getEdittableItems” concept. This allows for a more fine-grained control instead of the standard “getAllowedItems” function. While I don't expect everyone to see this exactly the same way, I've already seen this as a need in my own operations and I suspect it will only get more important as larger organizations with stricter Information Security policies implement dotProject. Eventually, it may make sense to have this as an advanced configuration option.