Comment on a critical shortcoming in ezp3's authorisation model

Author Message

Volker Lenz

Friday 14 February 2003 9:11:52 am

In ezp 2.2.*, it was possible to define authorisation on content object-level. As a creator of content, you could decide for each individual folder or article, which users or user groups should be granted which kind of access to your content.

With the introduction of ezp3, authorisation on content object-level has been eliminated.

The substitutes available (authorisation-rules based on module-functions, with limitation opportunities to sections, classes and owners) are no adequate substitutes for content object-level authorisation, because their scope is either an ABSTRACT scope (module or classes) and therefore too general, or too limited (owners, sections) in order to establish access control for content.

If ez systems sold cars, I clearly would not buy such a car, since none of the keys they currently offer is appropriate to protect my car in a usual manner:

The "module"-key allows you to unlock either all cars of ezsystems or, if restricted by a "class"-policy, this key still allows you to unlock much too many cars, say - all roadsters or vans.

The "owner"-key, while pretty good to limit access to your car radically, has to be fixed irreversibly to your body (fingerprint key) and so even your wife or best friend could not use it to drive your car some day.

The "section"-key is not a car-key at all. Instead, it is the advice to buy a car without locks and park it on guarded parkings only. Unfortunately, anyone who passes the guard of your section-parking without being rejected, may afterwards choose to enter an arbitrary unlocked car on this site. So the "section"-guarded parking approach is suitable only in situations where you know you can trust everyone who enters the section not to enter another one's car or where every car is meant to be accessible to any visitor. My cars a clearly not of that kind.

The ONE SIMPLE THING missing in ezp3 is a kind of car key which unlocks only the car you own and can be distributed to a defined group of persons according to your preferences as car-keeper.

The role model of ezp3, although it is a great step towards a professional authorisation scheme, is not yet completely implemented in it's function to control user's or user-group's access to content. We can assign roles to users. This is pretty important to decide what kind of action a user should be allowed to perform on your site in general, e.g. "DRIVER LICENSE" or "BUS DRIVER LICENSE". But the assignment of roles to users should not be misused to define the access control to objects, too. Here is the grave misconception in current ezp3. Everybody who enters your site with a DRIVER LICENSE is entitled to take away any car he or she likes without further control. The ezp-devs have tried to cope with this through POLICY LIMITATION: This means that you can confine your DRIVER LICENSE to, say BIKES or something. However, as mentioned above, even a limited BIKE DRIVER LICENSE is NOT A KEY TO BIKES and your bike drivers may still take away any bike they like on your site.

What we simply need is an assignment of roles to content objects in order to accomplish the transitivity between users and content in authorisation logic and to obtain the desired car keys again.

I think it is pretty clear what this comment is about.
I am looking forward to further comments on this.

Jan Borsodi

Thursday 27 February 2003 7:23:48 am

Extending the policy system to allow adding policies directly on users would solve this problem. It could also be interesting to view a node and and tell which users can access this objects (reverse mapping).
After the 3.0 release we can do some more reasearch on this to see what can be done, we need to be able to select objects/nodes directly also a subtree match would be interesting.

--
Amos

Documentation: http://ez.no/ez_publish/documentation
FAQ: http://ez.no/ez_publish/documentation/faq

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.

eZ debug

Timing: Jan 18 2025 11:45:32
Script start
Timing: Jan 18 2025 11:45:32
Module start 'layout'
Timing: Jan 18 2025 11:45:32
Module start 'content'
Timing: Jan 18 2025 11:45:32
Module end 'content'
Timing: Jan 18 2025 11:45:32
Script end

Main resources:

Total runtime0.0167 sec
Peak memory usage2,048.0000 KB
Database Queries3

Timing points:

CheckpointStart (sec)Duration (sec)Memory at start (KB)Memory used (KB)
Script start 0.00000.0087 589.5156152.6875
Module start 'layout' 0.00870.0025 742.203139.5234
Module start 'content' 0.01120.0035 781.726693.4297
Module end 'content' 0.01470.0019 875.156334.3047
Script end 0.0167  909.4609 

Time accumulators:

 Accumulator Duration (sec) Duration (%) Count Average (sec)
Ini load
Load cache0.002514.9954140.0002
Check MTime0.00116.5986140.0001
Mysql Total
Database connection0.00095.591210.0009
Mysqli_queries0.002917.135930.0010
Looping result0.00000.088510.0000
Template Total0.00169.610.0016
Template load0.00085.003210.0008
Template processing0.00084.549410.0008
Override
Cache load0.00063.591910.0006
General
dbfile0.00021.167380.0000
String conversion0.00000.047140.0000
Note: percentages do not add up to 100% because some accumulators overlap

Templates used to render the page:

UsageRequested templateTemplateTemplate loadedEditOverride
1print_pagelayout.tpl<No override>extension/community/design/community/templates/print_pagelayout.tplEdit templateOverride template
 Number of times templates used: 1
 Number of unique templates used: 1

Time used to render debug report: 0.0001 secs