user role for self editing

Author Message

James Ward

Wednesday 03 August 2005 2:12:01 pm

ez 3.6

I can't seem to get the roles correct to allow my registered members to edit their own information.

I have a role called "Members" which all registered members belong too. They are granted access to a members section of the site and should also have the ability to edit their own details. I have the role setup as follows:

content  	 read  	 Section( Members )
user 	all functions 	No limitations
content 	edit 	Class( User ) , Owner( Self )

I receive Access Denied kernel(1) errors when attempting to edit the user via content/view/full/317 where 317 is the user node id. And Object is unavailable kernel(3) errors when attempting to edit the user via /user/edit. If I log in as the administrator I can edit the user via the node_id method without any problems.

working at www.wardnet.com
blogging at www.jamesward.ca

Ɓukasz Serwatka

Wednesday 03 August 2005 11:10:05 pm

Hi James,

Module /user/edit/USER_OBJECT_ID need as last parameter object_id instead of node_id. You can also go directly to edit mode accessing content/edit/USER_OBJECT_ID.

Personal website -> http://serwatka.net
Blog (about eZ Publish) -> http://serwatka.net/blog

Luc Chase

Wednesday 03 August 2005 11:36:25 pm

James,
I too had a similar problem in 3.6.0
Even though the correct policies were in place within the role, members just could not selfedit.
However if you create a role with the following policies and then assign that role to your 'Members' role you may also find that it works for you (I don't know why).

I think this is the default set of policies for the default 'Registered User' role. So assign this role to your 'Members' role.

content    read 	No limitations
content    pdf 	        No limitations
user 	   login 	No limitations
user 	   selfedit 	No limitations
user 	   password 	No limitations
user 	   preferences 	No limitations

NB. Not certain this is significant, but the changelog for 3.6.1 mentions the following...
Fixed bug: Wrong conditional permisssion when you use more then one "assign with limitation" to one role for the same user (limitations are mixed using logical AND instead of logical OR operation).

The Web Application Service Provider

James Ward

Thursday 04 August 2005 8:44:06 am

Luc:
Thanks for the suggestion. I created a new role just for user self editing and assigned it to the members group. Member permissions are now as follows:

Registered User  user     login         No limitations
Registered User  user     selfedit      No limitations
Registered User  user     password      No limitations
Registered User  user     preferences   No limitations
Members          content  read          Section( Members )
Anonymous        content  read          Section( Standard , About , Signup , Newsletters , Presentations )
Anonymous        content  pdf           Section( Standard )
Anonymous        rss      read          No limitations
Anonymous        rss      feed          No limitations
Anonymous        user     login         SiteAccess( en )

But content/view/full/NODE_ID still give me an Access Denied kernel error(1). Thanks for trying. Maybe we can get some confirmation that this is related to the 3.6.1 bugfix.

Luke:
With the permissions set above I was able to access SOME of the user editing pages from /user/edit/OBJECT_ID. This rendered the user edit page but when I clicked Edit Profile I received an Access Denied kernel error (1), when I clicked Change Password it let me go ahead and change the password, when I clicked Change Setting it showed me the settings to disable the user and adjust the number of logins but when I clicked update it gave me an Access Denied error kernel(1). This last thing is good since I really don't want my users to be able to disable their own accounts.

My concern is mostly with the content/view/full/NODE_ID since thats the one that users receive in the confirmation emails. However if we can get another uri working then I'm sure I can edit the emails.

Any thoughts on what I could try next?

working at www.wardnet.com
blogging at www.jamesward.ca

Lex 007

Thursday 04 August 2005 8:59:48 am

Hi,

Create the following policy :

Content / Edit / Subtree(Users), Class(User), Section (Users), Owner(Self)

Lex

Luc Chase

Thursday 04 August 2005 9:13:04 am

James,
here is the full policy profile of the Editor role that works for my 3.6.0 instance. Beyond that I can't help. Looking forward to how this thread resolves.

Editor   (limited to subtree /1/43/)  	 content  	 all functions   	 No limitations
Editor   (limited to subtree /1/2/) 	content 	all functions 	No limitations
Registred User   	content 	read 	No limitations
Registred User   	content 	pdf 	No limitations
Registred User   	user 	login 	No limitations
Registred User   	user 	selfedit 	No limitations
Registred User   	user 	password 	No limitations
Registred User   	user 	preferences 	No limitations

By the way, remember that the user object is not (normally) owned by the user. But (as far as I can tell) the 'selfedit' policy checks that the logged in user ID is equal to the object_id to confirm they are attempting to edit their own details - not that they are the owner.

The Web Application Service Provider

James Ward

Thursday 04 August 2005 9:22:23 am

Luc,
As soon as I looked at your policies I realised what part of my problem was. Because I have assigned users access section by section I never gave them access to the Users section. Adding this seems to have solved the problem. As I can noe access the user information.

content  	 read  	 Section( Users )

I'm going to confirm that the users can edit their info before I call this thread done. Thanks.

working at www.wardnet.com
blogging at www.jamesward.ca

Luc Chase

Thursday 04 August 2005 9:25:02 am

James,
and they can't they read and or edit other users now, right?

The Web Application Service Provider

James Ward

Thursday 04 August 2005 11:42:34 am

Ok got this close to working correctly. With the following policies in place:

user     password      No limitations
content  read          Section( Users )
content  edit          Subtree( Users ) , Class( User ) , Section( Users ) , Owner( Self )

My users can view their profiles, edit their information, and change their passwords.

I removed the selfedit, and login policies because they seemed to have no effect. I also removed the preferences policy because it would allow users to disable their accounts and control the number of logins they were allowed which is more power than I want to give them.

My problem as Luc mentioned is that any registered users can now browse all my registered users. They can only edit their own accounts but I am worried about someone stealing email address.

Unless there is a policy solution to this I will try to solve it using some template code.

Lex thanks for your subtree editing example it seemed to be the key to getting the editing working.

Luc and Luke let me know if you have any thoughts on how best to tackle the user browsing issue.

Thanks all.

working at www.wardnet.com
blogging at www.jamesward.ca

James Ward

Thursday 04 August 2005 12:41:25 pm

This is a little off topic for this thread but it may come in handy for users looking to accomplish the same thing as me.
To prevent my registered users from browsing the full reged user list I added the following in my override.ini:

[user_group_full]
Source=node/view/full.tpl
MatchFile=user_group/user_group_full.tpl
Subdir=templates
Match[class_identifier]=user_group

And then placed the following code in user_group_full.tpl:

{def $user=fetch('user', 'current_user')}
{def $user_node=fetch( 'content', 'node', hash( 'node_id', $user.contentobject.main_node_id ) )}
{node_view_gui view=full content_node=$user_node}

Since only logged in users have access to the user section on my site this will automatically redirect anyone attempting to browse the list to their own profile. If you have policies which would allow non-logged-in users to browse a simple {if $user} check would allow you to catch them and send them to another page as well.

working at www.wardnet.com
blogging at www.jamesward.ca

Luc Chase

Thursday 04 August 2005 1:29:58 pm

James,
in the policy profile I've posted above, users can read only their own details.

The Web Application Service Provider

James Ward

Thursday 04 August 2005 1:46:23 pm

Luc,
I guess I still have a problem then. Obviously I would much rather have all this handled by policies than with template trickery.

Looking at your policy I can't see what prevents a registered user from browsing the users section. I'll try to get my policy more inline with yours to see if I can close the security hole. I'll post my findings here after I've done a bit more testing.

working at www.wardnet.com
blogging at www.jamesward.ca

Luc Chase

Friday 05 August 2005 2:22:23 am

James,
I upgraded from 3.6.0 to 3.6.1 yesterday and just checked this again. I've just found that with the above policy profile, Editors CAN read other user details. Not 100% certain that this is because of the upgrade, but just wanted to let you know my findings. To fix it I've adjusted the policies as follows...

Editor   (limited to subtree /1/43/)  	content  	all functions   No limitations
Editor   (limited to subtree /1/2/) 	content 	all functions 	No limitations
Registred User   	                content 	read 	        Section( Standard , Media , Denmark, Roskilde , Hungary, Bekes )
Registred User   	                content 	pdf 	        No limitations
Registred User   	                user 	        login 	        No limitations
Registred User   	                user 	        selfedit 	No limitations
Registred User   	                user 	        password 	No limitations
Registred User   	                content 	read 	        Section( Users ) , Owner( Self )

Basically I removed the unlimited access to the Content module (which would have included the User section) and added an ability to read Standard, Media and other relevant (project specific) sections. Then added ability to read User section if Owner is Self ( that bit should not work but it seems it does allow the user to see their own details - even though they are not the owner ).
Also removed ability to edit user preferences, but this is would be an optional change.

The Web Application Service Provider

Lex 007

Friday 05 August 2005 5:08:27 am

I think you should change

content  read          Section( Users )
content  edit          Subtree( Users ) , Class( User ) , Section( Users ) , Owner( Self )

to

content  read          Subtree( Users ) , Class( User ) , Section( Users ) , Owner( Self )
content  edit          Subtree( Users ) , Class( User ) , Section( Users ) , Owner( Self )

Luc Chase

Friday 05 August 2005 6:51:50 am

In my last post above, the policy

Registred User   	                content 	read 	        Section( Users ) , Owner( Self )

Would generally not help, because newly registered users don't own their record. It worked in my particular case because somewhere along the line the policies allowed the user to edit any user record, so having perhaps created a new draft they became the owner. But new users could not read their details (such as via the link in the welcome e-mail). But they could edit their own details because they had the 'selfedit' policy.
So, in the end the only way I can find to allow selfedit whithout allowing the user to read other user records is to borrow code from the &canEdit() function in kernel/classes/ezcontentobject.php
for use in the &canRead() function
producing....

function &canRead( )
    {
        if ( !isset( $this->Permissions["can_read"] ) )
        {
            $this->Permissions["can_read"] = $this->checkAccess( 'read' );
						if ( $this->Permissions["can_read"] != 1 )
            {
                 $user =& eZUser::currentUser();
                 if ( $user->id() == $this->attribute( 'id' ) )
                 {
                     $access = $user->hasAccessTo( 'user', 'selfedit' );
                     if ( $access['accessWord'] == 'yes' )
                     {
                         $this->Permissions["can_read"] = 1;
                     }
                 }
            }
        }
        $p = ( $this->Permissions["can_read"] == 1 );
        return $p;
    }

This makes the (reasonable?) assumption that if you can selfedit then you can 'selfread'. Too bad it taints the kernel.
Other threads have come up with an alternative solution of changing the owner (to their own id) when the user signs up; instead of using the default owner id set in the site.ini file.

The Web Application Service Provider

James Ward

Friday 05 August 2005 7:53:49 am

Lex you rule!
My registered users policy is now as follows:

content  edit      Subtree( Users ) , Class( User ) , Section( Users ) , Owner( Self )
content  read      Subtree( Users ) , Class( User ) , Section( Users ) , Owner( Self )
user     password  No limitations

And users can no longer browse the registered users or view another users profile. My only problem now is the "send for publishing" after user editing redirects to the user_group above which of course the editing user does not have access too. I'm sure this redirect wont be that hard to change.

Luc, the fact that Lex's policy works would lead me to beleive that the users do in fact own their user objects. I didn't have to make any changes in the way users register.

Thanks for all the help folks.

working at www.wardnet.com
blogging at www.jamesward.ca

James Ward

Friday 05 August 2005 8:16:30 am

In case anyone stumbles in here looking for the redirect code. This seems to work fine for me.
In my user edit form:

<input type="hidden" name="RedirectURI" value={$object.main_node.url} />

working at www.wardnet.com
blogging at www.jamesward.ca

John Smith

Monday 08 August 2005 7:41:59 am

hi there,

I just want to know how are you assigning Users with subtree. In other words how to get Subtree(Users) in the policies.

Regards.

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.