eZContentObject::checkAccess strangeness

Next topic

Author	Message
Bruce Morrison	Tuesday 23 November 2010 11:16:32 pm Hi all I'm working on some code that needs to identify if a particular user has edit access to a eZContentObject and have been running some tests using eZContentObject::checkAccess. I found some strange code at the end of this method that modifies the result after the polices have been checked: if ( $access == 'denied' ) { if ( $functionName == 'edit' ) { // Check if we have 'create' access under the main parent if ( $this->attribute( 'current_version' ) == 1 && !$this->attribute( 'status' ) ) { $mainNode = eZNodeAssignment::fetchForObject($this->attribute( 'id' ), $this->attribute( 'current_version' ) ); $parentObj = $mainNode[0]->attribute('parent_contentobject' ); $result = $parentObj->checkAccess( 'create',$this->attribute( 'contentclass_id' ), $parentObj->attribute( 'contentclass_id' ), false, $originalLanguage ); if ( $result ) { $access = 'allowed'; } return $result; } } } This is my interpretation: If a user doesn't have edit access to the object and the current version = 1 and the object has a status of draft then If the user can create an object of the same type under the same node then user can edit that object. Can anyone let me know why/if this code is required? Cheers Bruce P.S. It would also be great if the method could take a additional parameter $user that defaulted to false. The method could check if it was a eZUser type and use it or get the current user if not. This would make is a lot more flexible :) My Blog: http://www.stuffandcontent.com/ Follow me on twitter: http://twitter.com/brucemorrison Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish
Nicolas Pastorino	Wednesday 24 November 2010 5:17:59 am " if ( $access == 'denied' ) { if ( $functionName == 'edit' ) { // Check if we have 'create' access under the main parent if ( $this->attribute( 'current_version' ) == 1 && !$this->attribute( 'status' ) ) { $mainNode = eZNodeAssignment::fetchForObject($this->attribute( 'id' ), $this->attribute( 'current_version' ) ); $parentObj = $mainNode[0]->attribute('parent_contentobject' ); $result = $parentObj->checkAccess( 'create',$this->attribute( 'contentclass_id' ), $parentObj->attribute( 'contentclass_id' ), false, $originalLanguage ); if ( $result ) { $access = 'allowed'; } return $result; } } } This is my interpretation: If a user doesn't have edit access to the object and the current version = 1 and the object has a status of draft then If the user can create an object of the same type under the same node then user can edit that object. Can anyone let me know why/if this code is required? " Hi Bruce ! From the comment in the code, reading through it several times, and knowing that the 'edit' and 'create' functions of the 'content' module were often confusing, here is what i would understand : If a user is trying to edit an object in its first version (ie : create a new one) and was denied access to the the 'edit' function, transform the access check into : "is she allowed to create an object of the given content class at this place in the content tree ?" and bubble-up the result. We are talking about object creation only here. " P.S. It would also be great if the method could take a additional parameter $user that defaulted to false. The method could check if it was a eZUser type and use it or get the current user if not. This would make is a lot more flexible " Yup, 100% agree here. Could you file this there : http://issues.ez.no/ezpublish ? Cheers ! -- Nicolas Pastorino Director Community - eZ Member of the Community Project Board eZ Publish Community on twitter: http://twitter.com/ezcommunity t : http://twitter.com/jeanvoye G+ : http://plus.tl/jeanvoye
Bruce Morrison	Wednesday 24 November 2010 3:40:13 pm Hi Nicolas Thanks for the input. The issue is that you can get a false positive from this code. If you have 2 policies Create Article Edit Article if you are owner and there is an article, version 1 and in draft mode. Then checking if the user can edit will return true even in the user is not the owner of the object. (Policy 1 overrides 2) This isn't an issue with the normal operation of eZ as editing via the admin interface uses eZContentObjectVersion::checkAccess which checks status & ownership before the policies. The issue I have is that you can't rely on eZContentObject::checkAccess or eZContentObject::canEdit to determine if a user can edit an object. It seems this is a "hack" to get around having to have both a create & edit policy to allow object creation. (i.e. create = create + edit version 1). I can't decide if this is a feature or a bug. Given the situation where the false positive can occur I'm starting to think this is a bug. Any one else want to weigh in? Cheers Bruce My Blog: http://www.stuffandcontent.com/ Follow me on twitter: http://twitter.com/brucemorrison Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish

Author

Message

Tuesday 23 November 2010 11:16:32 pm

Hi all

I'm working on some code that needs to identify if a particular user has edit access to a eZContentObject and have been running some tests using eZContentObject::checkAccess.

I found some strange code at the end of this method that modifies the result after the polices have been checked:

if ( $access == 'denied' )
{
    if ( $functionName == 'edit' )
    {
     // Check if we have 'create' access under the main parent
         if ( $this->attribute( 'current_version' ) == 1 && !$this->attribute( 'status' ) )
        {
             $mainNode = eZNodeAssignment::fetchForObject($this->attribute( 'id' ), $this->attribute( 'current_version' ) );
             $parentObj = $mainNode[0]->attribute('parent_contentobject' );
             $result = $parentObj->checkAccess( 'create',$this->attribute( 'contentclass_id' ),
                                                $parentObj->attribute( 'contentclass_id' ), false, $originalLanguage );
              if ( $result )              {
                 $access = 'allowed';
             }
              return $result;
         }
    }
}

This is my interpretation:

If a user doesn't have edit access to the object and the current version = 1 and the object has a status of draft then
If the user can create an object of the same type under the same node then user can edit that object.

Can anyone let me know why/if this code is required?

Cheers
Bruce

P.S. It would also be great if the method could take a additional parameter $user that defaulted to false. The method could check if it was a eZUser type and use it or get the current user if not. This would make is a lot more flexible :)

My Blog: http://www.stuffandcontent.com/
Follow me on twitter: http://twitter.com/brucemorrison
Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish

Nicolas Pastorino

Wednesday 24 November 2010 5:17:59 am

if ( $access == 'denied' )
{
    if ( $functionName == 'edit' )
    {
     // Check if we have 'create' access under the main parent
         if ( $this->attribute( 'current_version' ) == 1 && !$this->attribute( 'status' ) )
        {
             $mainNode = eZNodeAssignment::fetchForObject($this->attribute( 'id' ), $this->attribute( 'current_version' ) );
             $parentObj = $mainNode[0]->attribute('parent_contentobject' );
             $result = $parentObj->checkAccess( 'create',$this->attribute( 'contentclass_id' ),
                                                $parentObj->attribute( 'contentclass_id' ), false, $originalLanguage );
              if ( $result )              {
                 $access = 'allowed';
             }
              return $result;
         }
    }
}

This is my interpretation:

Hi Bruce !

From the comment in the code, reading through it several times, and knowing that the 'edit' and 'create' functions of the 'content' module were often confusing, here is what i would understand :
If a user is trying to edit an object in its first version (ie : create a new one) and was denied access to the the 'edit' function, transform the access check into : "is she allowed to create an object of the given content class at this place in the content tree ?" and bubble-up the result. We are talking about object creation only here.

P.S. It would also be great if the method could take a additional parameter $user that defaulted to false. The method could check if it was a eZUser type and use it or get the current user if not. This would make is a lot more flexible

Yup, 100% agree here. Could you file this there : http://issues.ez.no/ezpublish ?

Cheers !

--
Nicolas Pastorino
Director Community - eZ
Member of the Community Project Board

eZ Publish Community on twitter: http://twitter.com/ezcommunity

t : http://twitter.com/jeanvoye
G+ : http://plus.tl/jeanvoye

Bruce Morrison

Wednesday 24 November 2010 3:40:13 pm

Hi Nicolas

Thanks for the input. The issue is that you can get a false positive from this code. If you have 2 policies

Create Article
Edit Article if you are owner

and there is an article, version 1 and in draft mode. Then checking if the user can edit will return true even in the user is not the owner of the object. (Policy 1 overrides 2)

This isn't an issue with the normal operation of eZ as editing via the admin interface uses eZContentObjectVersion::checkAccess which checks status & ownership before the policies.

The issue I have is that you can't rely on eZContentObject::checkAccess or eZContentObject::canEdit to determine if a user can edit an object.

It seems this is a "hack" to get around having to have both a create & edit policy to allow object creation. (i.e. create = create + edit version 1).

I can't decide if this is a feature or a bug. Given the situation where the false positive can occur I'm starting to think this is a bug. Any one else want to weigh in?

Cheers
Bruce

My Blog: http://www.stuffandcontent.com/
Follow me on twitter: http://twitter.com/brucemorrison
Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish

eZ debug

Timing:	Jan 18 2025 02:09:53
Script start
Timing:	Jan 18 2025 02:09:53
Module start 'layout'
Timing:	Jan 18 2025 02:09:53
Module start 'content'
Timing:	Jan 18 2025 02:09:53
Module end 'content'
Timing:	Jan 18 2025 02:09:53
Script end

Main resources:

Total runtime	0.8230 sec
Peak memory usage	4,096.0000 KB
Database Queries	58

Timing points:

Checkpoint	Start (sec)	Duration (sec)	Memory at start (KB)	Memory used (KB)
Script start	0.0000	0.0046	589.1641	152.6406
Module start 'layout'	0.0046	0.0026	741.8047	39.4844
Module start 'content'	0.0073	0.8142	781.2891	580.9141
Module end 'content'	0.8215	0.0015	1,362.2031	16.1250
Script end	0.8230		1,378.3281

Time accumulators:

Accumulator	Duration (sec)	Duration (%)	Count	Average (sec)
Ini load
Load cache	0.0030	0.3660	16	0.0002
Check MTime	0.0013	0.1525	16	0.0001
Mysql Total
Database connection	0.0009	0.1097	1	0.0009
Mysqli_queries	0.7556	91.8020	58	0.0130
Looping result	0.0005	0.0614	56	0.0000
Template Total	0.7986	97.0	2	0.3993
Template load	0.0020	0.2389	2	0.0010
Template processing	0.7966	96.7845	2	0.3983
Template load and register function	0.0001	0.0124	1	0.0001
states
state_id_array	0.0010	0.1243	1	0.0010
state_identifier_array	0.0010	0.1211	2	0.0005
Override
Cache load	0.0018	0.2167	71	0.0000
Sytem overhead
Fetch class attribute can translate value	0.0006	0.0696	2	0.0003
Fetch class attribute name	0.0014	0.1754	5	0.0003
XML
Image XML parsing	0.0009	0.1108	2	0.0005
class_abstraction
Instantiating content class attribute	0.0000	0.0017	6	0.0000
General
dbfile	0.0009	0.1075	22	0.0000
String conversion	0.0000	0.0008	4	0.0000
Note: percentages do not add up to 100% because some accumulators overlap

Templates used to render the page:

Usage	Requested template	Template	Template loaded
1	node/view/full.tpl	full/forum_topic.tpl	extension/sevenx/design/simple/override/templates/full/forum_topic.tpl
3	content/datatype/view/ezimage.tpl	<No override>	extension/sevenx/design/simple/templates/content/datatype/view/ezimage.tpl
3	content/datatype/view/ezxmltext.tpl	<No override>	extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tpl
9	content/datatype/view/ezxmltags/line.tpl	<No override>	design/standard/templates/content/datatype/view/ezxmltags/line.tpl
14	content/datatype/view/ezxmltags/paragraph.tpl	<No override>	extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tpl
2	content/datatype/view/ezxmltags/literal.tpl	<No override>	extension/community/design/standard/templates/content/datatype/view/ezxmltags/literal.tpl
4	content/datatype/view/ezxmltags/strong.tpl	<No override>	design/standard/templates/content/datatype/view/ezxmltags/strong.tpl
2	content/datatype/view/ezxmltags/quote.tpl	datatype/ezxmltext/quote.tpl	extension/ezwebin/design/ezwebin/override/templates/datatype/ezxmltext/quote.tpl
1	content/datatype/view/ezxmltags/emphasize.tpl	<No override>	design/standard/templates/content/datatype/view/ezxmltags/emphasize.tpl
1	content/datatype/view/ezxmltags/li.tpl	<No override>	design/standard/templates/content/datatype/view/ezxmltags/li.tpl
1	content/datatype/view/ezxmltags/ol.tpl	<No override>	design/standard/templates/content/datatype/view/ezxmltags/ol.tpl
2	content/datatype/view/ezxmltags/link.tpl	<No override>	design/standard/templates/content/datatype/view/ezxmltags/link.tpl
1	print_pagelayout.tpl	<No override>	extension/community/design/community/templates/print_pagelayout.tpl
Number of times templates used: 44 Number of unique templates used: 13

Time used to render debug report: 0.0001 secs