Dynamic user content permission problem

Author Message

Paul Forsyth

Friday 18 June 2004 12:55:51 am

Im working on a site with strict permissions to protect users privacy.

I store information underneath the user object where each user can create, edit and delete their own objects. I can use the 'Self' limitation to control this.

The problem comes when other authorised users such as editors and admins add objects to this area. When added my user is not able to see the new objects because they do own them. If I replace 'self' with 'any' the objects can be seen but this allows users to read into other users data if they know how to manipulate the url.

What i need is a way of specifying a 'content read *' limited by a subtree which begins at the user object itself. I can of course add this manually but it would be a large overhead for each user (thousands). A workflow could help here but it would be nice if the system could handle this by default.

Is this easy/possible?

Thanks

paul

--
http://www.visionwt.com

Eirik Alfstad Johansen

Friday 18 June 2004 1:11:44 am

Hi Paul,

I discussed a very similar (if not the exact same) problem with Balazs during the conference. What I needed was to create a support ticket system where a client should be able to view all nodes (support tickets and replies) below their user account. His answer was that this could (of course) be done using template code (which would generate a LOT of overhead), but that he didn't know of any way to do this using the roles and permissions module.

Seems to me that this should be added to the module, as it would be useful for several scenarios.

Sincerely,

Eirik Johansen
http://www.netmaking.no/

Sincerely,

Eirik Alfstad Johansen
http://www.netmaking.no/

Paul Forsyth

Friday 18 June 2004 1:22:01 am

Thanks,

I wonder how templates can solve this? When the user wants to view information they have these permissions:

content, read, Section( NewSection ) , Owner( Self )

If an admin adds an object, such as a Notice item, the user wont be authorised to view it.

Changing the permissions to:

content, read, Section( NewSection )

produces security problems, Users can then read other users information, which we cannot allow.

A subtree based on the used object would solve this. But i'd rather not add thousands of specialised permissions ;)

paul

--
http://www.visionwt.com

Paul Forsyth

Friday 18 June 2004 3:18:59 am

I now see how this can be achieved in templates. If permissions are relaxed, as they are with:

content, read, Section( NewSection )

then the templates can check what rights the user has. The problem then becomes one of putting these checks everywhere... Very heavy. It would be easier adding subtree permission to each user!

paul

--
http://www.visionwt.com

Eirik Alfstad Johansen

Friday 18 June 2004 5:04:16 am

Absolutely! Will you post it as a suggestion, or should I?

Sincerly,

Eirik Johansen
http://www.netmaking.no/

Sincerely,

Eirik Alfstad Johansen
http://www.netmaking.no/

Kåre Køhler Høvik

Friday 18 June 2004 9:03:19 am

Adding dynamic restrictions based on user should not be a problem. What other limitations could we make :

- subtree limitation on current user node.

Kåre Høvik

Hardy Pottinger

Wednesday 21 July 2004 1:06:19 pm

I'm working on something similar, though I think we can get away with handling most of this with templates. I'm poking around for the exact way to get at user permissions objects, and while I'm sure I'll find it sooner or later, if anyone can point me in the right direction, that would be helpful.

We're very eagerly awaiting our copy of the eZ book. Supposed to be here by Friday!

Eirik Alfstad Johansen

Wednesday 22 March 2006 10:31:14 pm

Hi guys,

Do you know if there has been any progress on this issue?

Sincerely,

Eirik Alfstad Johansen
http://www.netmaking.no/

D K

Monday 23 March 2009 1:20:52 am

Hi,

I have similar problem. I have a gallery that users can upload images. When they upload it creates content object. This facility is provided in the frontend.

The problem is admin users can upload images to the gallery but the users cannot upload images. There is no any error messages in the debug report.

I have given permission to users as follows:

content create Class( Image ) , Section( Photo ) , ParentClass( Gallery )
content edit Class( Image ) , Section( Photo ) , Owner( Self )

Please help!

http://www.eyepax.com

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.