eZContentObject::checkAccess strangeness

Next topic

Author	Message
Bruce Morrison	Tuesday 23 November 2010 11:16:32 pm Hi all I'm working on some code that needs to identify if a particular user has edit access to a eZContentObject and have been running some tests using eZContentObject::checkAccess. I found some strange code at the end of this method that modifies the result after the polices have been checked: if ( $access == 'denied' ) { if ( $functionName == 'edit' ) { // Check if we have 'create' access under the main parent if ( $this->attribute( 'current_version' ) == 1 && !$this->attribute( 'status' ) ) { $mainNode = eZNodeAssignment::fetchForObject($this->attribute( 'id' ), $this->attribute( 'current_version' ) ); $parentObj = $mainNode[0]->attribute('parent_contentobject' ); $result = $parentObj->checkAccess( 'create',$this->attribute( 'contentclass_id' ), $parentObj->attribute( 'contentclass_id' ), false, $originalLanguage ); if ( $result ) { $access = 'allowed'; } return $result; } } } This is my interpretation: If a user doesn't have edit access to the object and the current version = 1 and the object has a status of draft then If the user can create an object of the same type under the same node then user can edit that object. Can anyone let me know why/if this code is required? Cheers Bruce P.S. It would also be great if the method could take a additional parameter $user that defaulted to false. The method could check if it was a eZUser type and use it or get the current user if not. This would make is a lot more flexible :) My Blog: http://www.stuffandcontent.com/ Follow me on twitter: http://twitter.com/brucemorrison Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish
Nicolas Pastorino	Wednesday 24 November 2010 5:17:59 am " if ( $access == 'denied' ) { if ( $functionName == 'edit' ) { // Check if we have 'create' access under the main parent if ( $this->attribute( 'current_version' ) == 1 && !$this->attribute( 'status' ) ) { $mainNode = eZNodeAssignment::fetchForObject($this->attribute( 'id' ), $this->attribute( 'current_version' ) ); $parentObj = $mainNode[0]->attribute('parent_contentobject' ); $result = $parentObj->checkAccess( 'create',$this->attribute( 'contentclass_id' ), $parentObj->attribute( 'contentclass_id' ), false, $originalLanguage ); if ( $result ) { $access = 'allowed'; } return $result; } } } This is my interpretation: If a user doesn't have edit access to the object and the current version = 1 and the object has a status of draft then If the user can create an object of the same type under the same node then user can edit that object. Can anyone let me know why/if this code is required? " Hi Bruce ! From the comment in the code, reading through it several times, and knowing that the 'edit' and 'create' functions of the 'content' module were often confusing, here is what i would understand : If a user is trying to edit an object in its first version (ie : create a new one) and was denied access to the the 'edit' function, transform the access check into : "is she allowed to create an object of the given content class at this place in the content tree ?" and bubble-up the result. We are talking about object creation only here. " P.S. It would also be great if the method could take a additional parameter $user that defaulted to false. The method could check if it was a eZUser type and use it or get the current user if not. This would make is a lot more flexible " Yup, 100% agree here. Could you file this there : http://issues.ez.no/ezpublish ? Cheers ! -- Nicolas Pastorino Director Community - eZ Member of the Community Project Board eZ Publish Community on twitter: http://twitter.com/ezcommunity t : http://twitter.com/jeanvoye G+ : http://plus.tl/jeanvoye
Bruce Morrison	Wednesday 24 November 2010 3:40:13 pm Hi Nicolas Thanks for the input. The issue is that you can get a false positive from this code. If you have 2 policies Create Article Edit Article if you are owner and there is an article, version 1 and in draft mode. Then checking if the user can edit will return true even in the user is not the owner of the object. (Policy 1 overrides 2) This isn't an issue with the normal operation of eZ as editing via the admin interface uses eZContentObjectVersion::checkAccess which checks status & ownership before the policies. The issue I have is that you can't rely on eZContentObject::checkAccess or eZContentObject::canEdit to determine if a user can edit an object. It seems this is a "hack" to get around having to have both a create & edit policy to allow object creation. (i.e. create = create + edit version 1). I can't decide if this is a feature or a bug. Given the situation where the false positive can occur I'm starting to think this is a bug. Any one else want to weigh in? Cheers Bruce My Blog: http://www.stuffandcontent.com/ Follow me on twitter: http://twitter.com/brucemorrison Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish

Author

Message

Tuesday 23 November 2010 11:16:32 pm

Hi all

I'm working on some code that needs to identify if a particular user has edit access to a eZContentObject and have been running some tests using eZContentObject::checkAccess.

I found some strange code at the end of this method that modifies the result after the polices have been checked:

if ( $access == 'denied' )
{
    if ( $functionName == 'edit' )
    {
     // Check if we have 'create' access under the main parent
         if ( $this->attribute( 'current_version' ) == 1 && !$this->attribute( 'status' ) )
        {
             $mainNode = eZNodeAssignment::fetchForObject($this->attribute( 'id' ), $this->attribute( 'current_version' ) );
             $parentObj = $mainNode[0]->attribute('parent_contentobject' );
             $result = $parentObj->checkAccess( 'create',$this->attribute( 'contentclass_id' ),
                                                $parentObj->attribute( 'contentclass_id' ), false, $originalLanguage );
              if ( $result )              {
                 $access = 'allowed';
             }
              return $result;
         }
    }
}

This is my interpretation:

If a user doesn't have edit access to the object and the current version = 1 and the object has a status of draft then
If the user can create an object of the same type under the same node then user can edit that object.

Can anyone let me know why/if this code is required?

Cheers
Bruce

P.S. It would also be great if the method could take a additional parameter $user that defaulted to false. The method could check if it was a eZUser type and use it or get the current user if not. This would make is a lot more flexible :)

My Blog: http://www.stuffandcontent.com/
Follow me on twitter: http://twitter.com/brucemorrison
Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish

Nicolas Pastorino

Wednesday 24 November 2010 5:17:59 am

if ( $access == 'denied' )
{
    if ( $functionName == 'edit' )
    {
     // Check if we have 'create' access under the main parent
         if ( $this->attribute( 'current_version' ) == 1 && !$this->attribute( 'status' ) )
        {
             $mainNode = eZNodeAssignment::fetchForObject($this->attribute( 'id' ), $this->attribute( 'current_version' ) );
             $parentObj = $mainNode[0]->attribute('parent_contentobject' );
             $result = $parentObj->checkAccess( 'create',$this->attribute( 'contentclass_id' ),
                                                $parentObj->attribute( 'contentclass_id' ), false, $originalLanguage );
              if ( $result )              {
                 $access = 'allowed';
             }
              return $result;
         }
    }
}

This is my interpretation:

Hi Bruce !

From the comment in the code, reading through it several times, and knowing that the 'edit' and 'create' functions of the 'content' module were often confusing, here is what i would understand :
If a user is trying to edit an object in its first version (ie : create a new one) and was denied access to the the 'edit' function, transform the access check into : "is she allowed to create an object of the given content class at this place in the content tree ?" and bubble-up the result. We are talking about object creation only here.

P.S. It would also be great if the method could take a additional parameter $user that defaulted to false. The method could check if it was a eZUser type and use it or get the current user if not. This would make is a lot more flexible

Yup, 100% agree here. Could you file this there : http://issues.ez.no/ezpublish ?

Cheers !

--
Nicolas Pastorino
Director Community - eZ
Member of the Community Project Board

eZ Publish Community on twitter: http://twitter.com/ezcommunity

t : http://twitter.com/jeanvoye
G+ : http://plus.tl/jeanvoye

Bruce Morrison

Wednesday 24 November 2010 3:40:13 pm

Hi Nicolas

Thanks for the input. The issue is that you can get a false positive from this code. If you have 2 policies

Create Article
Edit Article if you are owner

and there is an article, version 1 and in draft mode. Then checking if the user can edit will return true even in the user is not the owner of the object. (Policy 1 overrides 2)

This isn't an issue with the normal operation of eZ as editing via the admin interface uses eZContentObjectVersion::checkAccess which checks status & ownership before the policies.

The issue I have is that you can't rely on eZContentObject::checkAccess or eZContentObject::canEdit to determine if a user can edit an object.

It seems this is a "hack" to get around having to have both a create & edit policy to allow object creation. (i.e. create = create + edit version 1).

I can't decide if this is a feature or a bug. Given the situation where the false positive can occur I'm starting to think this is a bug. Any one else want to weigh in?

Cheers
Bruce

My Blog: http://www.stuffandcontent.com/
Follow me on twitter: http://twitter.com/brucemorrison
Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish