Forums / General / users / roles

users / roles

Author Message

Francis Nart

Wednesday 10 December 2003 8:26:14 am

Hi,

Is there any documentation on the set up of users and the way to assign roles/permissions ? It is still very obscure for me at the moment !

thanks !

Marco Zinn

Wednesday 10 December 2003 9:33:11 am

Hm, I'm sure there is some docu somewhere here, but i couldn't find it right now.
I think, there are some pages in the official ez3-presentations: http://ez.no/developer/ez_publish_3 in the box on the right, at the bottom.

Quick rundown:
Users are used to .... have users ;) Well, for personification and permission stuff, for example.
As long as you are not logged in, ez3 uses a special user called "Anonymous". Sounds strange, but has some nice advantages ;)
You can group in user groups for better handling and for simpliyfing the permission system. You can cascade (build "tree") with user groups, but i think, there is an open bug, when you want to assing permissions to user groups and they are cascaded.
Until now, we didn't talk about permission. Permissions are done with roles.
A role hold one or more "policies". They define, if a user can login at all, what content he can read or write or edit or delete etc. etc.
Your role has some of these "policies" and with this, you create a "profile". This should be task-based, so when you define a role, you ask yourself: What rights (permissions) does a person need, when he needs to accomplish a Task "A"? Define a Role "A".
What does he need to do "B"? Define a Role "B".

Then, you assigne the role to individual users or user groups.

The permissions, that are valid for a user, are a summary of the permissions of all roles he has assigned and all roles, that "his" user groups have assigned.

When you don't assign a role with some permissions to a user (group), they have no rights.

Note: Take care of the role and User "Anonymous", who usually can read some public part (section) of the site.

One more:
For some functions (like "read content") you can define in some .ini file (site.ini?), that they do not need any rights. Those will be available to everyone, bypassing the permission system!
Usually the function "user login" and "user logout" are handled in the .ini
Hope that helps.

Marco
http://www.hyperroad-design.com

Francis Nart

Wednesday 10 December 2003 9:53:46 am

thanks for that reply ! I'll ty all this right away !

Francis.

Georg Franz

Friday 12 December 2003 4:42:27 am

Hi Marco, ez team,

I've additional questions to the role system. It would be fine if one the ez team answers too. I mainly want to know the theory, then I could test it for myself and report bugs :)

Example 1:
I have two roles with different policies.

node tree:
--main
-----subtree 1
--------article
--------user account
-----subtree 2
--------article
--------user account

role:
"registered user" -
-) is allowed to read all content which is in the subtree 1

"editor"
-) is allowed to edit all content which is in the subtree 1
-) is allowed to edit articles which are in the subtree 2

If I create a user and assign both roles to him, is the user allowed to edit AND read content in subtree 1?

Are there "default" dependencies between policies? For example: I give the user only the permission to edit content of class xy. Is he able to "read" the content before / after editing? (Another example: If I give the user only the right to delete content of the class xy is he "automaticly" able to read and edit the content of class xy?)

role "example":
-) read all content in subtree 1
-) edit all content in subtree 1
-) edit user-accounts

The user got the role "example". Is he able to edit user-accounts in subtree 2 although he has no read access in subtree 2?

What is the best way to manage roles?
-) Create one role for each "user class" (user, editor, chief editor etc.) with all necessary policies and assign only one role to the specific user ...
-) or create one role for each "user class" with only the "additional" policies.

By the way, in ez 3.2.3 the role system sometimes don't work as expected.

e.g. if you want to have "subtree limitations" don't do following:
-) role "example 3"
---- read subtree 1
---- read subtree 2
---- read subtree 3 (and so on)

I think - in the theory - this should work (shouldn't it?), but it won't. (I reported this in a post somewhere else)

Instead do this:
-) role "example 3"
---- read subtree (1,2,3)
(so put the limitations in one policy instead of creating three policies)

Kind regards,
Emil.

Best wishes,
Georg.

--
http://www.schicksal.com Horoskop website which uses eZ Publish since 2004

Claus Jensen

Tuesday 27 January 2004 5:14:16 am

Hi,
I also have problems with users and roles, now in 3.2.4. One of the reasons for which I upgraded from 3.2.3 and earlier 3.2.1. What is sad is that there still is no docs on how the role/permission system works. I cant create a correct permission set because of it. I want to have a specific node and subtree setting, but its not working when I test it. WHERE ARE DOCS? There are none! This is very bad as this system have existed for at least a year now. It seems ez is thinking more about the layout on their website than documenting the system. Instead of documenting what they have, they create new layouts of the website leading to dead links in both docs and forums.

Anyway here is what I want to do (view all classes and content below MyFolder):
content read Subtree( MyFolder ) , Node( MyFolder , Root folder ) , Class( Folder , Info page , Link , File , Comment , Article , Image , Forum , Forum message , Product , Product review )

But when I try to fetch from the database like this:
{let children=fetch('content','tree',hash(parent_node_id, 2, "sort_by", array("published", false()), limit,5,class_filter_type, include, class_filter_array,array(2)))}
{section name=Child loop=$children max=5}
{node_view_gui view=line content_node=$Child:item}
{/section}

{/let}

It just gives me the "goddam no access"-page. Can anybody see what could be wrong here? I just expect it to return the articles from all subfolders that the user have access to. Its the anonymous user by the way. And I do press "Store".

My system: linux redhat 8, php 3.4.3, mysql 4.0.17.

regards,
claus