Forums / Developer / group and object permissions and ownership, comment it pls!

group and object permissions and ownership, comment it pls!

Author Message

M Desdin

Wednesday 23 April 2003 6:00:05 pm

we crashed against the actual ezp 3 implementation of permissions and ownership. we expose here some of them and ask for comments and help:
- total absence of object permissions and the ability of the object owner to change/set it
- no way to change the object ownership, possibly this could be gained with some extra coding, but can it be assigned to something different than a user? a group for example?
- ownerships during a role creation are restricted to self and any
- no group inheritance and consequently no permission (role) inheritance for them, i mean that a group beloging to/below another one doesn't inherit roles/permissions from the upper one. this behavior isn't ezp like!
are there any plans from ezp crew to improve the actual permissions/ownership implementation? how and when?
will it be difficult to try it by ourselves? please give us the necessary hints on this!
tia, md :)

Karsten Jennissen

Thursday 24 April 2003 4:22:34 am

Hi,

unfortunately I'm not an expert on permissions, but I think Volker Lenz wrote a comprehensive comment in the forums about a month or two ago on this topic. Couldn't find his post, though.

As far as your first two points are concerned, I am not sure whether you are aware of using sections to control object permissions. You can control permissions using site sections that can be arbitrarily assigned to nodes (objects too?). Anyway, the permission system is role based. Roles can be assigned to users and user groups. In the roles setup you can fine tune the permissions.

The others I give back to those who know something about that. :-)

Karsten

M Desdin

Thursday 24 April 2003 5:52:42 am

hi karsten,
no, there is no way to assign permissions to an object using sections, furthermore i don't see it as a desirable way under the actual role implementation.
let's expose a common example:
we build a site where users enter their personal data. we have groups and perhaps subgroups of them. we declare some sections and assign some roles to them. now some of these users decide to make their data belonging to the same class world readable, other users decide to make it group readable and the rest of them decide to make it only readable by themselves. think here of a unix like file permissions.
so, how do we approach the solution for this example? got it?
tia, md ;)

Karsten Jennissen

Thursday 24 April 2003 6:03:21 am

May be this thread'll help:

http://ez.no/developer/ez_publish_3/forum/setup_design/roles_and_user_drafts_help_needed

Karsten

Karsten Jennissen

Thursday 24 April 2003 6:11:47 am

Whoops, wrong thread. :)

http://ez.no/developer/ez_publish_3/forum/setup_design/multiple_sections_or_permissions

I am not sure how to do the complete thing or whether it is possible, as permissions are not set by those who create objects, but ony by those you have access to the roles function, afaik.

Karsten

M Desdin

Thursday 24 April 2003 7:32:52 am

hi karsten,
thanks again! i don't see how this thread can help me. his problem is only partly related to the hole permissions problem i exposed earlier and can be actually solved!
in your last post you are pointing just to another problem in the roles creation and assignment!
ezp crew???
tia, md

Paul Borgermans

Thursday 24 April 2003 8:59:53 am

> - total absence of object permissions and the ability of the object owner to change/set it

well, only roles for now

>- no way to change the object ownership, possibly this could be gained with some extra coding, but can it be assigned to something different than a user? a group for example?

Yes, here we may need some extra coding. And no it cannot be assigned to a group.

>- ownerships during a role creation are restricted to self and any

That's right and covers quite some practical situations

>- no group inheritance and consequently no permission (role) inheritance for them, i mean that a group beloging to/below another one doesn't inherit roles/permissions from the upper one. this behavior isn't ezp like!

I agree on that (inheritance of groups).

More power in the roles/permissions, means more overhead for server processing. But I would like to have the possibility too.

Paul

eZ Publish, eZ Find, Solr expert consulting and training
http://twitter.com/paulborgermans