restrict login to object/section/folder??

Previous topic

Install & configuration

Next topic

Author	Message
Gerhard Hoogterp	Wednesday 26 February 2003 12:07:36 am As it seems the role model is limited OR I don't understand completely what's going on but.. I would like to limit the adminrights of editors to the folder (plus children) containing their site. How to go? I can limit rights to a module, but all the sites/folders are handled by content and the rest of the modules named are uncharted territory. For me it would seem much more logical if I could restrict users to sections or classes. (No! You're not allowed to write in the news-folder!) On a side note it also seems that the list of modules is just the list of subdirectories in the kernel directory linking the cms part to the physical environment. A CMS should,imnho, be self-contained in this matter and roles/security should deal with the CMS and not with "weird" things on disc. The system administrator can deal with those.. Anyhow, leaves the question "how to restrict users to a section/folder or other object?"
Volker Lenz	Thursday 27 February 2003 2:52:35 am > As it seems the role model is limited OR I don't understand > completely what's going on but.. > > I would like to limit the adminrights of editors to the > folder (plus children) containing their site. How to go? > > I can limit rights to a module, but all the sites/folders > are handled by content and the rest of the modules named are > uncharted territory. For me it would seem much more logical > if I could restrict users to sections or classes. (No! > You're not allowed to write in the news-folder!) > > On a side note it also seems that the list of modules is > just the list of subdirectories in the kernel directory > linking the cms part to the physical environment. A CMS > should,imnho, be self-contained in this matter and > roles/security should deal with the CMS and not with "weird" > things on disc. The system administrator can deal with > those.. > > Anyhow, leaves the question "how to restrict users to a > section/folder or other object?" Your question first: You can define policies to control a user's access to sections. Take a look to this one: http://developer.ez.no/forum/message/14977 Your general comments on the current ezp authorisation model next: Yes, you got things right! ezp3 is still quite limited in its ability to support fine-tuned authorisation regimes. I spent some time to study the diverse authorisation utilities shipped with ezp3 and finally wrote rather exhausting comments on this, e.g. this one: http://developer.ez.no/forum/message/14601/ I have also issued a bunch of authorisation-related feature requests to the ezp3 bug reportings. Hope that helps.
Gerhard Hoogterp	Thursday 27 February 2003 4:20:27 am > Your question first: > You can define policies to control a user's access to sections. > Take a look to this one: > http://developer.ez.no/forum/message/14977 I found that one, but what I wanted is content * <section> and that doesn't seem to be possible as such. So I would have to create a rule for every option within the content class. No prices here, but for now it would do I guess.. > http://developer.ez.no/forum/message/14601/ I have to reread thatone as by now I think I'm deep enough into the matter to appriciate the content. Thanks, Gerhard

Author

Message

Gerhard Hoogterp

Wednesday 26 February 2003 12:07:36 am

As it seems the role model is limited OR I don't understand completely what's going on but..

I would like to limit the adminrights of editors to the folder (plus children) containing their site. How to go?

I can limit rights to a module, but all the sites/folders are handled by content and the rest of the modules named are uncharted territory. For me it would seem much more logical if I could restrict users to sections or classes. (No! You're not allowed to write in the news-folder!)

On a side note it also seems that the list of modules is just the list of subdirectories in the kernel directory linking the cms part to the physical environment. A CMS should,imnho, be self-contained in this matter and roles/security should deal with the CMS and not with "weird" things on disc. The system administrator can deal with those..

Anyhow, leaves the question "how to restrict users to a section/folder or other object?"

Volker Lenz

Thursday 27 February 2003 2:52:35 am

> As it seems the role model is limited OR I don't understand
> completely what's going on but..
>
> I would like to limit the adminrights of editors to the
> folder (plus children) containing their site. How to go?
>
> I can limit rights to a module, but all the sites/folders
> are handled by content and the rest of the modules named are
> uncharted territory. For me it would seem much more logical
> if I could restrict users to sections or classes. (No!
> You're not allowed to write in the news-folder!)
>
> On a side note it also seems that the list of modules is
> just the list of subdirectories in the kernel directory
> linking the cms part to the physical environment. A CMS
> should,imnho, be self-contained in this matter and
> roles/security should deal with the CMS and not with "weird"
> things on disc. The system administrator can deal with
> those..
>
> Anyhow, leaves the question "how to restrict users to a
> section/folder or other object?"

Your question first:
You can define policies to control a user's access to sections.
Take a look to this one: http://developer.ez.no/forum/message/14977

Your general comments on the current ezp authorisation model next:

Yes, you got things right! ezp3 is still quite limited in its ability to support fine-tuned authorisation regimes. I spent some time to study the diverse authorisation utilities shipped with ezp3 and finally wrote rather exhausting comments on this, e.g. this one:

http://developer.ez.no/forum/message/14601/

I have also issued a bunch of authorisation-related feature requests to the ezp3 bug reportings.

Hope that helps.

Gerhard Hoogterp

Thursday 27 February 2003 4:20:27 am

> Your question first:
> You can define policies to control a user's access to sections.
> Take a look to this one:
> http://developer.ez.no/forum/message/14977

I found that one, but what I wanted is

content * <section>

and that doesn't seem to be possible as such. So I would have to create a rule for every option within the content class. No prices here, but for now it would do I guess..

> http://developer.ez.no/forum/message/14601/

I have to reread thatone as by now I think I'm deep enough into the matter to appriciate the content.

Thanks,
Gerhard

eZ debug

Timing:	Jan 18 2025 11:44:54
Script start
Timing:	Jan 18 2025 11:44:54
Module start 'layout'
Timing:	Jan 18 2025 11:44:54
Module start 'content'
Timing:	Jan 18 2025 11:44:55
Module end 'content'
Timing:	Jan 18 2025 11:44:55
Script end

Main resources:

Total runtime	0.6746 sec
Peak memory usage	4,096.0000 KB
Database Queries	57

Timing points:

Checkpoint	Start (sec)	Duration (sec)	Memory at start (KB)	Memory used (KB)
Script start	0.0000	0.0074	588.0547	152.6406
Module start 'layout'	0.0074	0.0040	740.6953	39.4766
Module start 'content'	0.0114	0.6618	780.1719	514.1641
Module end 'content'	0.6732	0.0014	1,294.3359	12.1250
Script end	0.6746		1,306.4609

Time accumulators:

Accumulator	Duration (sec)	Duration (%)	Count	Average (sec)
Ini load
Load cache	0.0031	0.4638	16	0.0002
Check MTime	0.0013	0.1939	16	0.0001
Mysql Total
Database connection	0.0015	0.2161	1	0.0015
Mysqli_queries	0.6126	90.8094	57	0.0107
Looping result	0.0007	0.1010	55	0.0000
Template Total	0.6403	94.9	2	0.3202
Template load	0.0021	0.3101	2	0.0010
Template processing	0.6382	94.6044	2	0.3191
Template load and register function	0.0003	0.0469	1	0.0003
states
state_id_array	0.0011	0.1632	1	0.0011
state_identifier_array	0.0007	0.1091	2	0.0004
Override
Cache load	0.0018	0.2643	53	0.0000
Sytem overhead
Fetch class attribute can translate value	0.0008	0.1211	2	0.0004
Fetch class attribute name	0.0020	0.3032	4	0.0005
XML
Image XML parsing	0.0010	0.1484	2	0.0005
class_abstraction
Instantiating content class attribute	0.0000	0.0017	4	0.0000
General
dbfile	0.0012	0.1839	16	0.0001
String conversion	0.0000	0.0016	4	0.0000
Note: percentages do not add up to 100% because some accumulators overlap

Templates used to render the page:

Usage	Requested template	Template	Template loaded
1	node/view/full.tpl	full/forum_topic.tpl	extension/sevenx/design/simple/override/templates/full/forum_topic.tpl
3	content/datatype/view/ezxmltext.tpl	<No override>	extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tpl
5	content/datatype/view/ezxmltags/paragraph.tpl	<No override>	extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tpl
1	content/datatype/view/ezimage.tpl	<No override>	extension/sevenx/design/simple/templates/content/datatype/view/ezimage.tpl
4	content/datatype/view/ezxmltags/line.tpl	<No override>	design/standard/templates/content/datatype/view/ezxmltags/line.tpl
1	print_pagelayout.tpl	<No override>	extension/community/design/community/templates/print_pagelayout.tpl
Number of times templates used: 15 Number of unique templates used: 6

Time used to render debug report: 0.0001 secs