Dynamic user content permission problem

« 
Previous topic
|
Developer
|
Next topic
 »
Author Message

Paul Forsyth

Friday 18 June 2004 12:55:51 am

Im working on a site with strict permissions to protect users privacy.

I store information underneath the user object where each user can create, edit and delete their own objects. I can use the 'Self' limitation to control this.

The problem comes when other authorised users such as editors and admins add objects to this area. When added my user is not able to see the new objects because they do own them. If I replace 'self' with 'any' the objects can be seen but this allows users to read into other users data if they know how to manipulate the url.

What i need is a way of specifying a 'content read *' limited by a subtree which begins at the user object itself. I can of course add this manually but it would be a large overhead for each user (thousands). A workflow could help here but it would be nice if the system could handle this by default.

Is this easy/possible?

Thanks

paul

--
http://www.visionwt.com

Eirik Alfstad Johansen

Friday 18 June 2004 1:11:44 am

Hi Paul,

I discussed a very similar (if not the exact same) problem with Balazs during the conference. What I needed was to create a support ticket system where a client should be able to view all nodes (support tickets and replies) below their user account. His answer was that this could (of course) be done using template code (which would generate a LOT of overhead), but that he didn't know of any way to do this using the roles and permissions module.

Seems to me that this should be added to the module, as it would be useful for several scenarios.

Sincerely,

Eirik Johansen
http://www.netmaking.no/

Sincerely,

Eirik Alfstad Johansen
http://www.netmaking.no/

Paul Forsyth

Friday 18 June 2004 1:22:01 am

Thanks,

I wonder how templates can solve this? When the user wants to view information they have these permissions:

content, read, Section( NewSection ) , Owner( Self )

If an admin adds an object, such as a Notice item, the user wont be authorised to view it.

Changing the permissions to:

content, read, Section( NewSection )

produces security problems, Users can then read other users information, which we cannot allow.

A subtree based on the used object would solve this. But i'd rather not add thousands of specialised permissions ;)

paul

--
http://www.visionwt.com

Paul Forsyth

Friday 18 June 2004 3:18:59 am

I now see how this can be achieved in templates. If permissions are relaxed, as they are with:

content, read, Section( NewSection )

then the templates can check what rights the user has. The problem then becomes one of putting these checks everywhere... Very heavy. It would be easier adding subtree permission to each user!

paul

--
http://www.visionwt.com

Eirik Alfstad Johansen

Friday 18 June 2004 5:04:16 am

Absolutely! Will you post it as a suggestion, or should I?

Sincerly,

Eirik Johansen
http://www.netmaking.no/

Sincerely,

Eirik Alfstad Johansen
http://www.netmaking.no/

Kåre Køhler Høvik

Friday 18 June 2004 9:03:19 am

Adding dynamic restrictions based on user should not be a problem. What other limitations could we make :

- subtree limitation on current user node.

Kåre Høvik

Hardy Pottinger

Wednesday 21 July 2004 1:06:19 pm

I'm working on something similar, though I think we can get away with handling most of this with templates. I'm poking around for the exact way to get at user permissions objects, and while I'm sure I'll find it sooner or later, if anyone can point me in the right direction, that would be helpful.

We're very eagerly awaiting our copy of the eZ book. Supposed to be here by Friday!

Eirik Alfstad Johansen

Wednesday 22 March 2006 10:31:14 pm

Hi guys,

Do you know if there has been any progress on this issue?

Sincerely,

Eirik Alfstad Johansen
http://www.netmaking.no/

D K

Monday 23 March 2009 1:20:52 am

Hi,

I have similar problem. I have a gallery that users can upload images. When they upload it creates content object. This facility is provided in the frontend.

The problem is admin users can upload images to the gallery but the users cannot upload images. There is no any error messages in the debug report.

I have given permission to users as follows:

content create Class( Image ) , Section( Photo ) , ParentClass( Gallery )
content edit Class( Image ) , Section( Photo ) , Owner( Self )

Please help!

http://www.eyepax.com
Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.

eZ debug

Timing: Jan 31 2025 01:22:05
Script start
Timing: Jan 31 2025 01:22:05
Module start 'layout'
Timing: Jan 31 2025 01:22:05
Module start 'content'
Timing: Jan 31 2025 01:22:06
Module end 'content'
Timing: Jan 31 2025 01:22:06
Script end

Main resources:

Total runtime1.2012 sec
Peak memory usage8,192.0000 KB
Database Queries81

Timing points:

CheckpointStart (sec)Duration (sec)Memory at start (KB)Memory used (KB)
Script start 0.00000.0064 588.2500151.2266
Module start 'layout' 0.00640.0044 739.4766220.7188
Module start 'content' 0.01081.1895 960.19534,632.5625
Module end 'content' 1.20020.0009 5,592.757819.8281
Script end 1.2012  5,612.5859 

Time accumulators:

 Accumulator Duration (sec) Duration (%) Count Average (sec)
Ini load
Load cache0.00380.3159160.0002
Check MTime0.00130.1081160.0001
Mysql Total
Database connection0.00090.072910.0009
Mysqli_queries1.066388.7701810.0132
Looping result0.00100.0814790.0000
Template Total1.148595.620.5742
Template load0.00230.194320.0012
Template processing1.146195.412620.5731
Template load and register function0.00190.160010.0019
states
state_id_array0.00080.067810.0008
state_identifier_array0.00210.176320.0011
Override
Cache load0.00210.1769650.0000
Sytem overhead
Fetch class attribute can translate value0.00210.173150.0004
Fetch class attribute name0.00250.2097120.0002
XML
Image XML parsing0.00980.816250.0020
class_abstraction
Instantiating content class attribute0.00000.0029140.0000
General
dbfile0.00900.7532270.0003
String conversion0.00000.002440.0000
Note: percentages do not add up to 100% because some accumulators overlap

Templates used to render the page:

UsageRequested templateTemplateTemplate loadedEditOverride
1node/view/full.tplfull/forum_topic.tplextension/sevenx/design/simple/override/templates/full/forum_topic.tplEdit templateOverride template
9content/datatype/view/ezxmltext.tpl<No override>extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tplEdit templateOverride template
15content/datatype/view/ezxmltags/paragraph.tpl<No override>extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tplEdit templateOverride template
6content/datatype/view/ezxmltags/line.tpl<No override>design/standard/templates/content/datatype/view/ezxmltags/line.tplEdit templateOverride template
5content/datatype/view/ezimage.tpl<No override>extension/sevenx/design/simple/templates/content/datatype/view/ezimage.tplEdit templateOverride template
1print_pagelayout.tpl<No override>extension/community/design/community/templates/print_pagelayout.tplEdit templateOverride template
 Number of times templates used: 37
 Number of unique templates used: 6

Time used to render debug report: 0.0001 secs