Forums / Developer / Dynamic user content permission problem

Dynamic user content permission problem

Author Message

Paul Forsyth

Friday 18 June 2004 12:55:51 am

Im working on a site with strict permissions to protect users privacy.

I store information underneath the user object where each user can create, edit and delete their own objects. I can use the 'Self' limitation to control this.

The problem comes when other authorised users such as editors and admins add objects to this area. When added my user is not able to see the new objects because they do own them. If I replace 'self' with 'any' the objects can be seen but this allows users to read into other users data if they know how to manipulate the url.

What i need is a way of specifying a 'content read *' limited by a subtree which begins at the user object itself. I can of course add this manually but it would be a large overhead for each user (thousands). A workflow could help here but it would be nice if the system could handle this by default.

Is this easy/possible?

Thanks

paul

--
http://www.visionwt.com

Eirik Alfstad Johansen

Friday 18 June 2004 1:11:44 am

Hi Paul,

I discussed a very similar (if not the exact same) problem with Balazs during the conference. What I needed was to create a support ticket system where a client should be able to view all nodes (support tickets and replies) below their user account. His answer was that this could (of course) be done using template code (which would generate a LOT of overhead), but that he didn't know of any way to do this using the roles and permissions module.

Seems to me that this should be added to the module, as it would be useful for several scenarios.

Sincerely,

Eirik Johansen
http://www.netmaking.no/

Sincerely,

Eirik Alfstad Johansen
http://www.netmaking.no/

Paul Forsyth

Friday 18 June 2004 1:22:01 am

Thanks,

I wonder how templates can solve this? When the user wants to view information they have these permissions:

content, read, Section( NewSection ) , Owner( Self )

If an admin adds an object, such as a Notice item, the user wont be authorised to view it.

Changing the permissions to:

content, read, Section( NewSection )

produces security problems, Users can then read other users information, which we cannot allow.

A subtree based on the used object would solve this. But i'd rather not add thousands of specialised permissions ;)

paul

--
http://www.visionwt.com

Paul Forsyth

Friday 18 June 2004 3:18:59 am

I now see how this can be achieved in templates. If permissions are relaxed, as they are with:

content, read, Section( NewSection )

then the templates can check what rights the user has. The problem then becomes one of putting these checks everywhere... Very heavy. It would be easier adding subtree permission to each user!

paul

--
http://www.visionwt.com

Eirik Alfstad Johansen

Friday 18 June 2004 5:04:16 am

Absolutely! Will you post it as a suggestion, or should I?

Sincerly,

Eirik Johansen
http://www.netmaking.no/

Sincerely,

Eirik Alfstad Johansen
http://www.netmaking.no/

Kåre Køhler Høvik

Friday 18 June 2004 9:03:19 am

Adding dynamic restrictions based on user should not be a problem. What other limitations could we make :

- subtree limitation on current user node.

Kåre Høvik

Hardy Pottinger

Wednesday 21 July 2004 1:06:19 pm

I'm working on something similar, though I think we can get away with handling most of this with templates. I'm poking around for the exact way to get at user permissions objects, and while I'm sure I'll find it sooner or later, if anyone can point me in the right direction, that would be helpful.

We're very eagerly awaiting our copy of the eZ book. Supposed to be here by Friday!

Eirik Alfstad Johansen

Wednesday 22 March 2006 10:31:14 pm

Hi guys,

Do you know if there has been any progress on this issue?

Sincerely,

Eirik Alfstad Johansen
http://www.netmaking.no/

D K

Monday 23 March 2009 1:20:52 am

Hi,

I have similar problem. I have a gallery that users can upload images. When they upload it creates content object. This facility is provided in the frontend.

The problem is admin users can upload images to the gallery but the users cannot upload images. There is no any error messages in the debug report.

I have given permission to users as follows:

content create Class( Image ) , Section( Photo ) , ParentClass( Gallery )
content edit Class( Image ) , Section( Photo ) , Owner( Self )

Please help!

http://www.eyepax.com

eZ debug

Timing: Jan 18 2025 11:40:26
Script start
Timing: Jan 18 2025 11:40:26
Module start 'content'
Timing: Jan 18 2025 11:40:26
Module end 'content'
Timing: Jan 18 2025 11:40:27
Script end

Main resources:

Total runtime1.0050 sec
Peak memory usage4,096.0000 KB
Database Queries218

Timing points:

CheckpointStart (sec)Duration (sec)Memory at start (KB)Memory used (KB)
Script start 0.00000.0083 588.9609180.8281
Module start 'content' 0.00830.8497 769.7891730.1953
Module end 'content' 0.85800.1469 1,499.9844344.4453
Script end 1.0049  1,844.4297 

Time accumulators:

 Accumulator Duration (sec) Duration (%) Count Average (sec)
Ini load
Load cache0.00470.4661210.0002
Check MTime0.00180.1816210.0001
Mysql Total
Database connection0.00090.092710.0009
Mysqli_queries0.907490.28372180.0042
Looping result0.00290.28842160.0000
Template Total0.965896.120.4829
Template load0.00230.226020.0011
Template processing0.963495.864720.4817
Template load and register function0.00020.022010.0002
states
state_id_array0.00160.159310.0016
state_identifier_array0.00090.085620.0004
Override
Cache load0.00220.2168650.0000
Sytem overhead
Fetch class attribute can translate value0.00160.159060.0003
Fetch class attribute name0.00110.1072120.0001
XML
Image XML parsing0.00510.507660.0009
class_abstraction
Instantiating content class attribute0.00000.0025140.0000
General
dbfile0.00560.5588380.0001
String conversion0.00000.000530.0000
Note: percentages do not add up to 100% because some accumulators overlap

CSS/JS files loaded with "ezjscPacker" during request:

CacheTypePacklevelSourceFiles
CSS0extension/community/design/community/stylesheets/ext/jquery.autocomplete.css
extension/community_design/design/suncana/stylesheets/scrollbars.css
extension/community_design/design/suncana/stylesheets/tabs.css
extension/community_design/design/suncana/stylesheets/roadmap.css
extension/community_design/design/suncana/stylesheets/content.css
extension/community_design/design/suncana/stylesheets/star-rating.css
extension/community_design/design/suncana/stylesheets/syntax_and_custom_tags.css
extension/community_design/design/suncana/stylesheets/buttons.css
extension/community_design/design/suncana/stylesheets/tweetbox.css
extension/community_design/design/suncana/stylesheets/jquery.fancybox-1.3.4.css
extension/bcsmoothgallery/design/standard/stylesheets/magnific-popup.css
extension/sevenx/design/simple/stylesheets/star_rating.css
extension/sevenx/design/simple/stylesheets/libs/fontawesome/css/all.min.css
extension/sevenx/design/simple/stylesheets/main.v02.css
extension/sevenx/design/simple/stylesheets/main.v02.res.css
JS0extension/ezjscore/design/standard/lib/yui/3.17.2/build/yui/yui-min.js
extension/ezjscore/design/standard/javascript/jquery-3.7.0.min.js
extension/community_design/design/suncana/javascript/jquery.ui.core.min.js
extension/community_design/design/suncana/javascript/jquery.ui.widget.min.js
extension/community_design/design/suncana/javascript/jquery.easing.1.3.js
extension/community_design/design/suncana/javascript/jquery.ui.tabs.js
extension/community_design/design/suncana/javascript/jquery.hoverIntent.min.js
extension/community_design/design/suncana/javascript/jquery.popmenu.js
extension/community_design/design/suncana/javascript/jScrollPane.js
extension/community_design/design/suncana/javascript/jquery.mousewheel.js
extension/community_design/design/suncana/javascript/jquery.cycle.all.js
extension/sevenx/design/simple/javascript/jquery.scrollTo.js
extension/community_design/design/suncana/javascript/jquery.cookie.js
extension/community_design/design/suncana/javascript/ezstarrating_jquery.js
extension/community_design/design/suncana/javascript/jquery.initboxes.js
extension/community_design/design/suncana/javascript/app.js
extension/community_design/design/suncana/javascript/twitterwidget.js
extension/community_design/design/suncana/javascript/community.js
extension/community_design/design/suncana/javascript/roadmap.js
extension/community_design/design/suncana/javascript/ez.js
extension/community_design/design/suncana/javascript/ezshareevents.js
extension/sevenx/design/simple/javascript/main.js

Templates used to render the page:

UsageRequested templateTemplateTemplate loadedEditOverride
1node/view/full.tplfull/forum_topic.tplextension/sevenx/design/simple/override/templates/full/forum_topic.tplEdit templateOverride template
9content/datatype/view/ezxmltext.tpl<No override>extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tplEdit templateOverride template
15content/datatype/view/ezxmltags/paragraph.tpl<No override>extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tplEdit templateOverride template
6content/datatype/view/ezxmltags/line.tpl<No override>design/standard/templates/content/datatype/view/ezxmltags/line.tplEdit templateOverride template
5content/datatype/view/ezimage.tpl<No override>extension/sevenx/design/simple/templates/content/datatype/view/ezimage.tplEdit templateOverride template
1pagelayout.tpl<No override>extension/sevenx/design/simple/templates/pagelayout.tplEdit templateOverride template
 Number of times templates used: 37
 Number of unique templates used: 6

Time used to render debug report: 0.0001 secs