Multilingual site: adding additional policy restrictions

Author Message

Sebastiaan van der Vliet

Thursday 07 May 2009 8:26:46 am

Hi,

I'm running two languages (siteaccesses) on a single ezp installation, single database, same set of templates. I want editors for both languages to be able to see the content in the other language, but not able to change 'anything'. I have set up two user groups, one for each language.

Unlike content/edit, the following functions: restore, cleantrash, remove and manage_locations, hide, move and versionread do not have the option to restrict access by used language. In my opinion this is a 'security' risk, and I would like to correct this.

The obvious place to start is the kernel/content/module.php file, by changing lines like:

$FunctionList['cleantrash'] = array();

to

$FunctionList['cleantrash'] = array('Language' => $Language);

Can someone point out the other kernel files that would need to be modified to further restrict access by language?

Certified eZ publish developer with over 9 years of eZ publish experience. Available for challenging eZ publish projects as a technical consultant, project manager, trouble shooter or strategic advisor.

Sebastiaan van der Vliet

Tuesday 12 May 2009 4:49:16 am

For example, in a multilingual setup problems may arise with the 'hide' functionality. I don't want editors in one language to be able to hide items that have a translation in another language. So I want to restrict the ability to hide thing by language: only allow hiding items if there are no translations:

In kernel/content/module.php:

$FunctionList['hide'] = array( 'Subtree' => $Subtree,'Language' => $Language );

in kernel/content/hide.php

$curNode = eZContentObjectTreeNode::fetch( $NodeID );

//start hack
$obj = $curNode->object();
$availableLanguages = $obj->availableLanguages();
foreach ($availableLanguages as $availableLanguage)
{
	$moduleAccessAllowed = $obj->checkAccess( 'hide', false, false, false, $availableLanguage );
	if (!$moduleAccessAllowed)
		return $Module->handleError( eZError::KERNEL_ACCESS_DENIED, 'kernel' );
}
//end hack

Probably better if it goes to a page explaining the restriction, rather than serving a page with 'access denied'.

And yes, I know. Don't touch the kernel.

Certified eZ publish developer with over 9 years of eZ publish experience. Available for challenging eZ publish projects as a technical consultant, project manager, trouble shooter or strategic advisor.

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.