Re: BuddyPress Privacy Component: An Update
The answer is yes and no.
The privacy component is designed to offer users a mechanism to assign access rights (viewing rights) to their various core BP object groupings. It is not designed to let users assign per-item access control to any and all objects. So, for instance as you suggest, at this stage a user will not be able to assign an individual image discrete access rights. Why? Because photos (album objects) are not part of BP’s current core.
Please be advised that this component only provides the assignment of privacy levels to BP’s core object groupings. All 3rd-party components will need to code their own privacy control features–using this component as a model and tying into its access-control table.
Remember that this is a first version Privacy Component, so new features will be added later.
A little more about access control
Typically, Access Control Lists and protocols focus on flexibly setting access rights to resources based on predefined roles (for example: site admin, group admin, moderator, editor, contributor, member, user). This type of access control is more often called, and more appropriately referred to as, role-based access control (RBAC). Role-based AC is necessary when two or more people are involved in the management, oversight, and even ownership of specific subsets of data. This group of people then need to be jointly authorized to perform certain functions.
But BuddyPress is a user-centric platform where there are currently no-jointly owned or controlled subsets of data. Ignoring the overall Site Administrator, in BuddyPress, there is a one-to-one relationship between a given piece of data and a single owner of that data. Even groups (at this time) are owned and controlled by one user. Group Moderators are limited in their power and do not own anything.
The core BP privacy component is what I am calling a light-weight ACL implementation. At some point it may make sense to offer a separate, full-fledged RBAC system but I’m guessing that only a few devs who truly understood such a system would take advantage of it.
Offering privacy control on BuddyPress’ core component objects is more than sufficient.