Forums / General / Hide folder for a particular role

Hide folder for a particular role

Author Message

Abdul Rasheed

Sunday 17 May 2009 9:54:53 pm

Hi,

I tired to hide a folder for a particular role by creating a new Policy for "Content" module and assigned the "Hide" functionality and selected the folder which needs to be hidden. But when the user assigned to particular role login to the system, the folder was visible to him.

Can anyone please suggest, is there any other steps which is required to hide the folder or any other options for hiding the folder.

Regards,
Abdul Rasheed

Greg McAvoy-Jensen

Sunday 17 May 2009 10:01:49 pm

Abdul,

Good question. You actually gave that user permission to hide the folder from everyone.

Instead, you need to be sure that role does not include the content/view policy for the folder class. See how views are granted for that role. If content/view is given to that role for all classes, you'll want to tighten control and only allow content/view for specific classes.

Granite Horizon, Certified Developer of eZ Publish Web Solutions
Provider of the SaaS Solution Granite Horizon In The Cloud | http://granitehorizon.com/cloud
http://granitehorizon.com | +1 916 647 6350 | California USA | @granitegreg
Blog: http://granitehorizon.com/blog

Abdul Rasheed

Sunday 17 May 2009 11:14:19 pm

Hi Greg,

Thanks for your reply.

I can now view only the classes which i have selected for that role and the other contents are hidden. But this will hide all the folders from the user.
My requirement is to view "Folder1" and hide "Folder2" from the user. Can you please suggest how can this be achieved.

Regards,
Abdul Rasheed

Gaetano Giunta

Monday 18 May 2009 12:18:30 am

Solution 1:
create 2 folder classes, and give user permission to view "folder" bur not "hidden_folder"

Solution 2:
use a section: assign to the "hidden" folder a new section, and give to everybody else but that user the permission to read content in that section

Solution 3:
use node-based permissions. You can assign to users a permission to read content only in specific subtrees / specific nodes

Just keep in mind that you cannot assign a negative (ie. no-read) permission, so to have only one user not accessing a node you will need to give him permission to read everything else but the specific node.

Principal Consultant International Business
Member of the Community Project Board

Abdul Rasheed

Tuesday 19 May 2009 9:22:55 pm

Hi,

I created the below policy to provide the "Read" permission for a specific node or subtree for a particular section,

content create Subtree( Files ) , Class( Folder , File ) , Section( Media )

But I was not able to view the whole content page if i restrict the "Read" permission to specific node or subtree.

Can anyone please suggest me how to set the policy to restrict the access for a particular folder or hide a particular folder for the user.

Regards,
Abdul Rasheed

Greg McAvoy-Jensen

Tuesday 19 May 2009 9:44:27 pm

The "content create" permission you mention you set up will only give create permission--not read permission. You'll need to add an additional policy to grant read permission.

Granite Horizon, Certified Developer of eZ Publish Web Solutions
Provider of the SaaS Solution Granite Horizon In The Cloud | http://granitehorizon.com/cloud
http://granitehorizon.com | +1 916 647 6350 | California USA | @granitegreg
Blog: http://granitehorizon.com/blog

Abdul Rasheed

Tuesday 19 May 2009 10:07:14 pm

Sorry. Instead of copying the "Read" policy i copied "Create" policy.

Following is the "Read" Policy.
content read Node( Files , Images ) , Class( Folder , File ), Section( Media ).

Can you please suggest what need to be added further to view only these nodes without getting any error.

Thanks in advance.

Regards,
Abdul Rasheed

Greg McAvoy-Jensen

Tuesday 19 May 2009 10:50:28 pm

I'm not sure what error you are getting; please specify.

If you're saying you've got folders configured the way you want (some are hidden, some are not, depending on subtree), and the only thing that remains is the rest of the content is all hidden as well, then just add another "read" policy giving access (without subtree restriction) to whatever other classes you want them to be able to see.

Granite Horizon, Certified Developer of eZ Publish Web Solutions
Provider of the SaaS Solution Granite Horizon In The Cloud | http://granitehorizon.com/cloud
http://granitehorizon.com | +1 916 647 6350 | California USA | @granitegreg
Blog: http://granitehorizon.com/blog

Abdul Rasheed

Tuesday 19 May 2009 11:33:57 pm

Hi

Following is the error I'm getting for the above defined policy.

The requested page could not be displayed. (1)
The system is unable to display the requested page because of security issues.

Possible reasons:
Your account does not have the proper privileges to access the requested page.
The requested page does not exist. Try changing the URL.

But if i define the policy like

content Read Class( Folder , File ) , Section( Media )

Without any sub tree or node specified I can view the entire Media Library with all the folders in it.

if you have Folder1 and Folder2 in this Media Library, our requirement is the user should view the content of Folder1 and not to view the content of Folder2.

Can you please explain me clearly what are the policies need to be defined for this.

Is there any documents which explain clearly about the access control model in eZ Publish.

Regards,
Abdul Rasheed

Greg McAvoy-Jensen

Tuesday 19 May 2009 11:44:11 pm

There are several great ways to do this. Gaetano gave you three choices above. You've tried his Solution #3--the subtree option. You could also use this Solution on a node-by-node basis if that meets your needs well.

Which of those three choices you select depends on things like:
- is this just an exception for one or a few nodes?
- will each user have a special set of folders they can view, and others can't?
- are all the folders the user should not have access to in one subtree, and all the ones they should be able to read are outside that subtree?
- who needs to be able to assign these permissions? does it need to be done on the fly for individuals, or can the rules be set once and left alone?

Perhaps a more narrative description of how your folder hiding system should work in relationship to individual users and user groups would help us make an appropriate recommendation of which solution would meet your needs best.

Granite Horizon, Certified Developer of eZ Publish Web Solutions
Provider of the SaaS Solution Granite Horizon In The Cloud | http://granitehorizon.com/cloud
http://granitehorizon.com | +1 916 647 6350 | California USA | @granitegreg
Blog: http://granitehorizon.com/blog

Abdul Rasheed

Wednesday 20 May 2009 12:56:15 am

I tried his third solution but getting the error which i have specified in my last post.

Each user have a special set of folder which he should view and the others should not view it. It should be hidden for other users.
Please suggest a solution.

Regards,
Abdul Rasheed

Gaetano Giunta

Wednesday 20 May 2009 2:00:24 am

Assign the read policy using the following limitation:

content/read + Class( Folder , File ) + Section( Media ) + Subtree (pick only needed folders)

and it will work.

In case you have troubles:
- tray emptying caches after assigning policies (there is a known bug in specific versions of eZP with policy cache)
- are you trying to access that folder directly in the backoffice or using some embed/object relation in the frontend siteaccess?

Principal Consultant International Business
Member of the Community Project Board

Abdul Rasheed

Wednesday 20 May 2009 2:32:43 am

Hi,

I assigned the policy given by you and deleted the caches. But doesn't work.
The following is the error i'm getting.

[05/20/2009 02:59 pm] The requested page could not be displayed. (1)
The system is unable to display the requested page because of security issues.

Possible reasons:

Your account does not have the proper privileges to access the requested page.
The requested page does not exist. Try changing the URL.

I'm accessing the folder through ezflow site admin ( Back office).

Regards,
Abdul Rasheed