Roles and blocking access to folders

Author Message

Steve Conrad

Tuesday 11 January 2005 2:40:51 am

Hi there,
I have a problem that I can't seem to solve.
I'm working on an Intranet that isn't using virtual hosts.

I have a structure like this:

HOME
|--- Sub1
|--- Sub2
|--- Sub3

When an admin user logs on they get the Sub1-3 at the top of the page as links to visit and the address they are looking at is http://server/index.php/home/

This is all working fine.

However, I also want a set of users that can only see folder sub3.

I set up a role that has the following access:
Business (limited to subtree /1/2/79/) user all functions Nolimitations
Business (limited to subtree /1/2/79/) content read Nolimitations

[I've also tried:
user all functions No limitations
content read Subtree( Sub3 )
]
at is http://server/index.php/home/ and they are only authorised to read http://server/index.php/home/Sub3 and downwards?

How can I either (a) authorise a user to the http://server/index.php/home/ folder, but not include Sub1 and Sub2 at the same time or (b) Force a user logging on under this role to automatically jump to http://server/index.php/home/Sub3 after logging on?

Once I get the 'access denied' page I can actually change the URL myself to go to http://server/index.php/home/sub3 and this works fine (Except if I click the logo where it tries to jump back to http://server/index.php/home/ again!).

Secondly, I've also noticed that if I log on as this business user and try to edit it's own account I again get an 'access denied' since the URL I'm getting is http://server/index.php/home/content/edit/289 (289 being the number of the user in question). I'm assuming the function 'selfedit' under user should allow this - but I'm not getting the option to work. Strangely the 'change password' option does work though!

Eivind Marienborg

Tuesday 11 January 2005 3:17:21 am

You could try setting up different sections for the different folders, and grating access based on those.

Steve Conrad

Tuesday 11 January 2005 3:28:35 am

Hmm.. as I thought -
Adding a section (Business_section) and assigning a subtree to this, then setting the role to:
user all functions No limitations
content read Section( Business_section )

Still gives me the same result - i.e. the user is only authorised to the sub-tree 'sub3' and not to the main page 'home', and the main page is not a subtree itself that I can add to anywhere (either a role directly or via a section) :(

Steve Conrad

Tuesday 11 January 2005 4:08:06 am

Ah - some more playing about and I think I'm close to a solution:

The breakthrough was noticing an UpArrow icon on one of the screens!
When you add a subtree (or a single node even) the system shows you the main set of subtrees automatically. However, I've now noticed that you can use an uparrow icon (top left, above the 10,25,50 figures). This allows you to move above the subtrees and back to the top level node (Home in my case).
I can then select this and authorise just the Home node to the policy plus the subtree(s) of my choice.
I've now got the policy looking like this:
user all functions No limitations
content read Node( Home )
content read Subtree( sub3 )
And this seems to fix my problem.
:)

Steve Conrad

Tuesday 11 January 2005 4:11:12 am

In the same vein, adding the following to the policy:
content edit Subtree( Users )
content read Subtree( Users )

Has enable me to get the restriced user to be able to update their own account details.

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.