group and object permissions and ownership, comment it pls!

Wednesday 23 April 2003 6:00:05 pm

we crashed against the actual ezp 3 implementation of permissions and ownership. we expose here some of them and ask for comments and help:
- total absence of object permissions and the ability of the object owner to change/set it
- no way to change the object ownership, possibly this could be gained with some extra coding, but can it be assigned to something different than a user? a group for example?
- ownerships during a role creation are restricted to self and any
- no group inheritance and consequently no permission (role) inheritance for them, i mean that a group beloging to/below another one doesn't inherit roles/permissions from the upper one. this behavior isn't ezp like!
are there any plans from ezp crew to improve the actual permissions/ownership implementation? how and when?
will it be difficult to try it by ourselves? please give us the necessary hints on this!
tia, md :)

Thursday 24 April 2003 5:52:42 am

hi karsten,
no, there is no way to assign permissions to an object using sections, furthermore i don't see it as a desirable way under the actual role implementation.
let's expose a common example:
we build a site where users enter their personal data. we have groups and perhaps subgroups of them. we declare some sections and assign some roles to them. now some of these users decide to make their data belonging to the same class world readable, other users decide to make it group readable and the rest of them decide to make it only readable by themselves. think here of a unix like file permissions.
so, how do we approach the solution for this example? got it?
tia, md ;)

Thursday 24 April 2003 6:11:47 am

Whoops, wrong thread. :)

http://ez.no/developer/ez_publish_3/forum/setup_design/multiple_sections_or_permissions

I am not sure how to do the complete thing or whether it is possible, as permissions are not set by those who create objects, but ony by those you have access to the roles function, afaik.

Karsten

Thursday 24 April 2003 8:59:53 am

> - total absence of object permissions and the ability of the object owner to change/set it

well, only roles for now

>- no way to change the object ownership, possibly this could be gained with some extra coding, but can it be assigned to something different than a user? a group for example?

Yes, here we may need some extra coding. And no it cannot be assigned to a group.

>- ownerships during a role creation are restricted to self and any

That's right and covers quite some practical situations

>- no group inheritance and consequently no permission (role) inheritance for them, i mean that a group beloging to/below another one doesn't inherit roles/permissions from the upper one. this behavior isn't ezp like!

I agree on that (inheritance of groups).

More power in the roles/permissions, means more overhead for server processing. But I would like to have the possibility too.

Paul

eZ Publish, eZ Find, Solr expert consulting and training
http://twitter.com/paulborgermans