Hello all. Some design questions have arison as part of a planned feature for NoNonsense Forum and I wanted everybody’s input.
--- here comes the science bit! ---
Basically, there would seem a need (not sure how widespread this is) to be able to run a private NoNonsense Forum that only certain people could access / post to.
Initially I was looking at using ".htpasswd", an Apache method that prompts the browser for login and authenticates against a given list of users. This essentially means that I don’t have to code a login screen, the browser provides it for you.
Use of .htpasswd is flawed however because:
a) The user needs to edit their ".htaccess" file, making it harder to update to new versions
b) The path to the ".htpasswd" file has to be absolute, which is hard to know on shared hosting and less friendly to newbies
c) It effectively by-passes the already existing name/password system, relying on the ".htpasswd" file instead. This is more of an internal design conflict, but does raise questions as to the worth of adding the feature
I can add HTTP authorisation using PHP (no need for htpasswd), but then you could just enter any name and password because the normal behaviour is to create a user if they don’t exist; so what gain would there be from an HTTP_AUTH request, rather than the name/password boxes that already exist?
There would need to be another feature (a text file likely) to say that only users x, y & z can view the forum.
This poses a UI problem; what do you make visible and accessible, and what do you not? These are more features to consider. Do you make the forum visible to all, but only accept submits from allowed usernames (bad UI), or do you provide a "login" button that invokes the authorisation request and only then display the input forms? Do you hide the entire forum and don’t allow them to see anything untill they’ve logged in? (then search won't work anymore because it relies on Google). Should the forum display a splash screen and require them to click to log in rather than just throwing an auth request at them the second they visit the URL?
This whole thing seems like a slippery slope that conflicts with the design of NNF and will only lead to conflicting feature requests (like alternative serch code for private forums).
What are your thoughts on NNF having a "only allow specific users" feature, and how it would be implemented?