Forums / Developer / Strange access control behaviour

Strange access control behaviour

Author Message

Eirik Alfstad Johansen

Thursday 04 March 2004 12:57:52 pm

Hi,

Some of the users of my site have reported some strange behaviour related to access control.

I've created a class called "Web site to be monitored" where users can store web sites which will be monitored by a script in an extension.

After creating the class, I appended the following rules to the guest account role:

content create Class(Web site to be monitored)
content edit Class(Web site to be monitored) , Owner( Self )
content read Class(Web site to be monitored) , Owner( Self )
content remove Class(Web site to be monitored) , Owner( Self )

This should make sure that users can only view, edit and delete their own monitored web sites.

I then use a fetch() function in a template to fetch a list of all the web sites currently monitored.

The strange behaviour is that some users have reported that the web sites of other users are appearing in this list when they're logged in. However, when they visit the printerfriendly version of the list, their own web sites appear. Also, when I create a guest account at my end through the same interface, only the web sites created by myself appear in my list.

Does this make any sense to anyone. What could I be missing?

Thanks in advance !

Sincerely,

Eirik Johansen

Sincerely,

Eirik Alfstad Johansen
http://www.netmaking.no/

Paul Borgermans

Thursday 04 March 2004 1:05:32 pm

Hi Eirik

Happened only in older release (3.1) with me (bugs fixed now) and when it is wrapped in cache blocks with a not so good key or syntax errors in cache blocks. What version are you referring to?

regards

-paul

eZ Publish, eZ Find, Solr expert consulting and training
http://twitter.com/paulborgermans

Eirik Alfstad Johansen

Thursday 04 March 2004 1:50:02 pm

v. 3.3

Sincerely,

Eirik Alfstad Johansen
http://www.netmaking.no/

Georg Franz

Thursday 04 March 2004 4:18:55 pm

Hi Eirik,

unfortunatelly it's a "known, open bug", the content view caching doesn't support the policy "self-edit" yet.

Have a look at:
http://ez.no/community/bug_reports/security_risk_caching_problems_session_problems

Kind regards,
Emil.

Best wishes,
Georg.

--
http://www.schicksal.com Horoskop website which uses eZ Publish since 2004

Eirik Alfstad Johansen

Friday 05 March 2004 12:07:10 am

Thanks for the heads up, Emil !

Sincerely,

Eirik Johansen

Sincerely,

Eirik Alfstad Johansen
http://www.netmaking.no/