An un-vetted user can engage in actions that cannot negatively impact others with a provisional-contributor role
@nedjo @cedewey working out my thoughts on this excellent question:
Do we need to explicitly add a contributor role, or can we use authenticated user? That is:
Will there be any access to the site less privileged than a contributor? Should all higher roles inherit all permissions of a contributor?
As written in the user stories for that use case, a Contributor is simply an authenticated user, as there is no role with lesser permissions. My instinct is that this is an oversight in the user stories and it does need to be a distinct role, that is, at the very least people can self-join as a pre-contributor, and do actions with no potential harm.
For the record, i repeat my plea that specialty roles, at least, get their own feature module so they can be used as a dependency by various other feature modules, rather than forced into a core feature module.
However, i'm proposing that this pre-authenticated or provisional-contributor role be made part of Drutopia core. This would help towards making it easy for people to start participating on a site, which i have long felt should be built into Drupal core, but evidently isn't going in anytime soon.
For instance, a self-registered user could follow content or people, like anything, and post comments and content that is un-published. This last part especially has two major benefits:
- A person can start getting involved with a site as soon as the urge strikes, rather than waiting X hours for an administrator's approval.
- It's a million times easier for an administrator to determine if an account application is spam after there is already
Because doing all this requires a fundamentally different conception of the base, authenticated user role (essentially treating it as an unauthenticated, provisionally accepted account role), this is a change we'd want in core Drutopia.
Indeed, this is the way we — well, @rosemarymann anyway! — has already constructed Drutopia so far, with a minimalist authenticated user role and common privileges on a Contributor role instead.
To keep the administrator experience easy and roughly consistent with stock Drupal, we would only have to have the Contributor role checked off by default when the administrator is creating a new user account.
And therefore we have the foundation for starting to allow authenticated, but not approved Contributor, users to start to get some provisional capabilities like posting unpublished content.