Forums / Suggestions / Permissions...

Permissions...

Author Message

perrin aybara

Monday 11 October 2004 12:48:40 am

I've been working with eZ Publish for a short while now, but only with template design. So when I today attempted to set permissions for content objects, i was pretty suprised by the hopeless role-system... where on earth is the logic? you have to go through way too many steps to set permissions for a content object. Why not adopt a more "standard" file-system permission-system? Protect content-nodes directly by setting permissions for users/user groups?

Oh well. one can only wish...

Frederik Holljen

Monday 11 October 2004 2:26:56 am

We used a file system kind of permission systems in the 2.x series and quickly discovered that it is way to limited for web use. One of the main problems is that users don't understand the permission controls and sets incorrect permissions giving others to many or to few permissions. It is also very hard for site administrators to find out what content is actually available for the site user and what content is not.

The current system allows you more fine grained control over the possiblities for the different users/user groups based on the actions of the modules without giving to much power to the users themselves. That said, an additional, more file system like, permission system could come in handy in some (few) cases.

Paul Borgermans

Monday 11 October 2004 3:04:37 am

<i>That said, an additional, more file system like, permission system could come in handy in some (few) cases.</i>

You bet! I've implemented a small simple file sharing area in one of our portals, and per object permissions while possible aren' that feasible (to implement).

-paul

eZ Publish, eZ Find, Solr expert consulting and training
http://twitter.com/paulborgermans

Hans Melis

Tuesday 12 October 2004 2:45:07 am

The permission system indeed has room for improvement. Per object permissions would be nice to have, but it would also be nice to specify "deny" access rules.

All rules in the permission system are of the "allow" type. But if you have users who should be able to do a lot except a few things, you end up with a huge rule list in a role because you can't specify deny rules.

Hans
http://blog.hansmelis.be

Frederik Holljen

Tuesday 12 October 2004 4:56:16 am

Yes, both deny permissions and per object permissions would be really nice to have. It is not trivial to implement in a way that is not resource consuming however :/

Margon C.

Tuesday 26 October 2004 2:48:50 pm

That would be useful for me too.
I want to set user roles by folders, but the only way I could do this was by setting permission for section, but I need more specific role policies. I have n sections on my site, each one's administrated only by one user, I do not want the other users even to READ the other one's content... I can achieve the "create" and "edit" permissions but not "READ" permission, because I just don't get access to the content at all.