Site modes and user roles
Permissions are global and if the same user can login on different sites, it will have the same role. If you trust the user on one site, but not on another, then create another user with a different username.
If a logged in user update the language, all the sites on the same instance will use that language for this user.
We define 5 levels of permissions.
The users with root permissions have full access to anything, but most important, they can create new sites, change settings, add templates, etc.. The same login works for all the sites. Given that being able to access the templates means being able to inject code, this role should be reserved to people that know what they are doing and have a shell access.
They don't need to belong to a particular site but in this case they cannot recover the password via mail.
They can change a subset of site settings (notably, the ones which don't require restarting the webserver or shell access) in addition to the librarian permissions (see below). Only a root user can promote an user to admin. Users they create are always librarians (there is an item in the user dropdown menu on the navigation bar).
Every site can and should have one or more librarians with login. They are able to access the revisions, approve the texts, etc. Special pages are always reserved for them.
They can also create fellow librarians which will share the same privileges. They are peers and they can create peers.
There is an item in the user dropdown menu on the navigation bar for this purpose.
This is not strictly speaking a role, because no login is required. Anyway, to access some part of the sites (adding new texts, editing, the bookbuilder), a prove that the user is a human and not a bot is required. This is implemented via a question which the human has to answer. It takes 10 seconds and after that the humanity of the user is not questioned any more. Also, they should have cookies enabled (otherwise we can't store a session for them).
Humans which don't prove to be such and robots can access all the public part, including reading and download.
Each site can run in one of these three modes, which differ on the privileges granted to the humans. Site modes can be set in the admin, under the General configuration stanza.
Only logged in can access texts and the site.
This mode restricts access to the text editing to librarians only. Humans can still use the bookbuilder.
This mode is a "moderated wiki". Humans can add new texts and edit them, but approvals and publishing is reserved to the librarians.
This mode is an "open wiki". Humans can add new texts, edit them, and the result is published right away. Revisions are kept in the git, so it's always possible to revert to a previous one (but could be complicated and messy). Use at your own risk, but it could make sense as a private wiki or in a LAN.