Seeking suggestions on an unusual permissions / node access problem

Monday 01 March 2004 12:36:36 am

I would like some advice on how to achieve the following in a correct method that still adheres to the core roles and security system of eZ publish 3.x.

I need to create a potentially user heavy site with up to 1000 users over time.
It's a 3 level structure, CEOs, Managers, Workers.
CEOs should be able to see into their employees' nodes in any company they are over.
Managers should be only able to see into their own node and all their workers' subnodes (but not other manager nodes on the same level, nor those managers' worker nodes)
Workers should only see their own node.

Please see the jpg on the following link for a better description.
http://www.r2r.net.au/levels.gif

I'd welcome suggestions on how to achieve this please.

www.dbinformatics.com.au

We are always interested in hearing from experienced eZ PHP programmers and eZ template designers interested in contract work.

Monday 01 March 2004 8:02:20 pm

Thanks for been the first to jump in with some advice Tore.

We would anticipate it growing to around 200 companies, so I guess that would rule out using sections.

When you say access rules are you referring to workflow?

www.dbinformatics.com.au

We are always interested in hearing from experienced eZ PHP programmers and eZ template designers interested in contract work.

Tuesday 02 March 2004 6:41:22 pm

Hi Brendan

I agree with Bård, it sure is a tricky one. I've been giving this a bit of thought as I have a similar problem with complex permissions in an extranet system I am trying to build.

As Bard has pointed out I'm not sure that it would be practicable to use the (current) permissions/roles system to achieve what you want. I think the only way to do this with the current version of eZ Publish is to use a combination of permissions and template logic to achieve what is required

Deep breath....Here goes.....

Create 3 content types, CEO, Manager, Worker under the Class Groups -> Users folder. Copy the default user class and rename appropriately and add any extra attributes required. You will also have a Company content type.

Create 3 User groups: CEOs, Managers, Workers

Create 3 Roles: one you each of the new user types - CEO , Manager, Worker.

You then have the "generic" rules for each role
Role: CEO content read class (Company, CEO, Manager, Worker), any section
Role: Manager content read class (Company, Manager, Worker), any section
Role: Worker content read class (Company, Worker), any section

Assign these roles to the corresponding user groups.

Add a company, create a section for this company, and assign the section to the newly created company

Add a CEO to the company. You will also need to add the CEO to the CEOs user groups. Now I'm not sure if this will work (and it is pretty important that it does). Will the role that is assigned to the CEOs user group be applied to the CEO user as the node in the user group will not be the main node?

You can make this an easier process by customising the edit template for the CEO content class (also do this for worker and manager content classes) to automatically place the node in the correct user group (See the edit_placement.tpl for an example of this).

The new CEO user will be assigned the section ID of the parent company.

Add Managers under the CEO and Workers under the Managers, making sure that they also get placed in their correct user group (these objects also get the same section ID as the company).

So now you need to have custom templates for each of the user content types
All - only display if the current user is of the same section as the current node (limits to a per company
CEO - nothing extra - only one CEO per company (thank god)
Manager - only display if current user is a CEO or has the same node ID as the current user
Worker - only display if current user is a Manager or has the same node ID as the current user.

It doesn't appear that you can fetch content and limit it to a specific section so you will have to do this "manually" when looping through the results. By enforcing this limitation in the template logic you will save you having to create a 3 roles per Company.

Also I'm assuming that Workers, Managers and CEOs will not be creating their own objects so they will not "own" their own object. So by having the template logic take care of having to assign self ownership to the worker objects.

Disclaimer: This "solution" has not been attempted and may not work. At the moment it is purely entirely a figment of my imagination.

I'd be interested in any feedback as to potential issues, logic problems etc.

Cheers
Bruce

My Blog: http://www.stuffandcontent.com/
Follow me on twitter: http://twitter.com/brucemorrison
Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish

Wednesday 16 June 2004 2:11:06 pm

I've thought about this quite a bit too as we are trying to write an extranet also, and I believe you have to extend the code that deals with user sessions to store each company's root and programatically control the access to the company area and switch that out for each user/group. Then the CEO. Manager, etc would be able to play appropriate roles.

I see this as a design flaw as ezpublish can handle intranet security anr roles fine, its when you add an extra layer there is no way to manage it. The only thing close would be to create new siteaccess entries and templates to control this, but again this would have to be done for each "comapany" .. all 200 in your case...

Otherwise you are basiclaly going to end up doing a 3 roles for each company.

There needs to be some way to tie a role to a specific set of subtrees (programatically changing based on current suer/group)...