Forums / Developer / Multilingual site: adding additional policy restrictions

Multilingual site: adding additional policy restrictions

Previous topic

Developer

Next topic

Author	Message
Sebastiaan van der Vliet	Thursday 07 May 2009 8:26:46 am Hi, I'm running two languages (siteaccesses) on a single ezp installation, single database, same set of templates. I want editors for both languages to be able to see the content in the other language, but not able to change 'anything'. I have set up two user groups, one for each language. Unlike content/edit, the following functions: restore, cleantrash, remove and manage_locations, hide, move and versionread do not have the option to restrict access by used language. In my opinion this is a 'security' risk, and I would like to correct this. The obvious place to start is the kernel/content/module.php file, by changing lines like: $FunctionList['cleantrash'] = array(); to $FunctionList['cleantrash'] = array('Language' => $Language); Can someone point out the other kernel files that would need to be modified to further restrict access by language? Certified eZ publish developer with over 9 years of eZ publish experience. Available for challenging eZ publish projects as a technical consultant, project manager, trouble shooter or strategic advisor.
Sebastiaan van der Vliet	Tuesday 12 May 2009 4:49:16 am For example, in a multilingual setup problems may arise with the 'hide' functionality. I don't want editors in one language to be able to hide items that have a translation in another language. So I want to restrict the ability to hide thing by language: only allow hiding items if there are no translations: In kernel/content/module.php: $FunctionList['hide'] = array( 'Subtree' => $Subtree,'Language' => $Language ); in kernel/content/hide.php $curNode = eZContentObjectTreeNode::fetch( $NodeID ); //start hack $obj = $curNode->object(); $availableLanguages = $obj->availableLanguages(); foreach ($availableLanguages as $availableLanguage) { $moduleAccessAllowed = $obj->checkAccess( 'hide', false, false, false, $availableLanguage ); if (!$moduleAccessAllowed) return $Module->handleError( eZError::KERNEL_ACCESS_DENIED, 'kernel' ); } //end hack Probably better if it goes to a page explaining the restriction, rather than serving a page with 'access denied'. And yes, I know. Don't touch the kernel. Certified eZ publish developer with over 9 years of eZ publish experience. Available for challenging eZ publish projects as a technical consultant, project manager, trouble shooter or strategic advisor.

Author

Message

Sebastiaan van der Vliet

Thursday 07 May 2009 8:26:46 am

Hi,

I'm running two languages (siteaccesses) on a single ezp installation, single database, same set of templates. I want editors for both languages to be able to see the content in the other language, but not able to change 'anything'. I have set up two user groups, one for each language.

Unlike content/edit, the following functions: restore, cleantrash, remove and manage_locations, hide, move and versionread do not have the option to restrict access by used language. In my opinion this is a 'security' risk, and I would like to correct this.

The obvious place to start is the kernel/content/module.php file, by changing lines like:

$FunctionList['cleantrash'] = array();

$FunctionList['cleantrash'] = array('Language' => $Language);

Can someone point out the other kernel files that would need to be modified to further restrict access by language?

Certified eZ publish developer with over 9 years of eZ publish experience. Available for challenging eZ publish projects as a technical consultant, project manager, trouble shooter or strategic advisor.

Sebastiaan van der Vliet

Tuesday 12 May 2009 4:49:16 am

For example, in a multilingual setup problems may arise with the 'hide' functionality. I don't want editors in one language to be able to hide items that have a translation in another language. So I want to restrict the ability to hide thing by language: only allow hiding items if there are no translations:

In kernel/content/module.php:

$FunctionList['hide'] = array( 'Subtree' => $Subtree,'Language' => $Language );

in kernel/content/hide.php

$curNode = eZContentObjectTreeNode::fetch( $NodeID );

//start hack
$obj = $curNode->object();
$availableLanguages = $obj->availableLanguages();
foreach ($availableLanguages as $availableLanguage)
{
	$moduleAccessAllowed = $obj->checkAccess( 'hide', false, false, false, $availableLanguage );
	if (!$moduleAccessAllowed)
		return $Module->handleError( eZError::KERNEL_ACCESS_DENIED, 'kernel' );
}
//end hack

Probably better if it goes to a page explaining the restriction, rather than serving a page with 'access denied'.

And yes, I know. Don't touch the kernel.