Right now, because some things can be done by administrators, editors-in-chief and editors, I used various indirect ways of checking, such as can('delete', 'article'). Maybe instead, administrators should have the two other roles tagged on, and editors-in-chief should have editor tagged on. They would then be inclusive.
Another option might be to describe inclusion in config.ini although that would mean having to refactor the ACL loader to process those recursively.
Once that's done, all code and templates should be scanned and updated to actually use proper has_role() checks where appropriate.
We also have the problem that editors which are also peers lose sight of any articles they can't review, so we need to audit all permissions checks to make sure they're positive, not negative like this peer check.
Right now, because some things can be done by administrators, editors-in-chief and editors, I used various indirect ways of checking, such as
can('delete', 'article'). Maybe instead, administrators should have the two other roles tagged on, and editors-in-chief should have editor tagged on. They would then be inclusive.Another option might be to describe inclusion in
config.inialthough that would mean having to refactor the ACL loader to process those recursively.Once that's done, all code and templates should be scanned and updated to actually use proper
has_role()checks where appropriate.We also have the problem that editors which are also peers lose sight of any articles they can't review, so we need to audit all permissions checks to make sure they're positive, not negative like this peer check.