Something I did several months ago was to abstract the permissions to the point where even the WYSIWYG editor could control who could select font colors, tables, image uploads, bold/italics, etc based on security profiles.
Wow! I'm thinking do we need to go that far?
What if we were to add a few more roles the user system? Maybe something like image uploads?
I don't know-- I have mixed feelings on that. 3 of my last 4 projects required that level of access, though, so even if we don't, I do think we should have some nice API functions to make these easier to do. At the moment it is a huge headache and are all hardcoded.
It would be so nice if one could merely do something like
$modx->addPermission("content", "Image upload", 0);
to add a new "Image upload" permission to the "Content Management" group with a default of 0 (no).
Then you could check it in the code:
if ($modx->hasPermission("content", "Image upload")) { ... };
Using a system similiar to this, a snippet could register a new permission right during install, along with a default state, and it would autoregister in all roles.
Something else to consider is that by putting these in as API calls, we move a step closer to being able to overload them to, for instance, use a pre-existing authentication system to check for permissions.
Does this make sense to anyone other than me?