10 replies to this topic

[florian]

Hello all,
got the following problem: a part of my site is "restricted" to a privileged usergroup. No problem here.
Now i would like to give some users of this group the permission to edit another part of the site. No problem there.

But: is it possible to prevent those "editor-role"-users from editing the "restricted" pages?

[Ralph]

You are limited to whatever user and document group permissions are available... See the documentation on this site for the best overview of what can and/or can't be accomplished with the current permissions structures...

[florian]

See the documentation on this site for the best overview of what can and/or can't be accomplished with the current permissions structures...

well, i did. And i think, that the docu is not very exact on that point. For example in The Basics it says in the end

Together, these elements define who can do what on which part (where) on our website.

Because, what these elements dont allow is for one and the same user to grant read access to document A and write access to document B without granting write access to document A.

Short version: i take it the answer to my question is "no".

[Ralph]

I may not have my head wrapped completely around your particular scenario but my guess is, no, you probably can't do what you would like to do... The problem revolves around what a user can do, based on user Roles, versus who has access to a particular document, based on what document groups the user belongs to... You cannot pick and choose what a specific user can do within a specific document group or a particular document... The current permissions system is not granular enough to allow such elaborate control... This is just one of the reasons we want to get a new code base out which has a more diverse authentication/permissions system... We are in the process of attempting to sort out the best means of achieving this right now, with some of the debate going on in the LDAP topic in recent days...

[florian]

that does sound good. Thanks for your answer.

[-Ed-]

I might be completely wrong here,
But I think it is possible to set it up:

We have User A and user B

Document A and Document B
(both are users and document groups)
User A has permission on document A, and B on B.

All clear, I hope ?

OK we'll add restricted, user and Documents group.
Restricted group has access to restricted documents.
got it ?, right, next step

We don't want restricted users to edit the restricted pages.

Ok, we create restricted user-no edit group that has no edit rights on restricted pages.
and we move those users that are not allowed to edit restricted pages to this group.

We create a restricted-edit document group for documents that are allowed to be edit for restricted users.

But we want to let restricted users be able to edit some pages in the website
Those pages are added to the restricted-edit document group.

Document A can be connected to Group A and restricted-edit. (editable for group a and restricted-edit )
Document B can be connected to Group B and A. (editable for group a and B )
Document Restricted can be connected to Restricted Group. (editable for restricted group only )



erm.. I think that's it.

This could work, I haven't tried it, but thinking about it, this should work.

You are using the users and Document groups to the full in this one, so don't get confused

Edited by Ed Headset, 25 January 2008 - 04:57 PM.

[Ralph]

True, there may be a roundabout way to get all of or most of the flexibility needed for this particular instance, but multiple permissions overlap is not well supported... Most people have been able to limp by with the inherent limitations which we have known have existed all along... Thanks for the details, Ed...

[florian]

Restricted group has access to restricted documents.
got it ?, right, next step

yes, the trouble is, that to achieve this, you have to setup those documents with "authenticate" to prevent normal users to see them, and you have to put them in a document group linked to these restricted users in order to allow those users to view them.

Just in this moment, if the users have any edit-permissions, they're able to edit the restricted pages.

You are using the users and Document groups to the full in this one, so don't get confused

Hope, I didn't. But I think Ralph was right in his first post.

[Ralph]

Remember, authenticate is only for front end security and you need to incorporate the check in your snippet code as the parser itself doesn't pay any attention to that flag during normal operations...

[florian]

OK, now after digging this thread up after some time I think that I kept one important piece of information to myself: those users I want to allow editing part of the site are supposed to do this through the backend!

Sure, with an extra snippet to support front-end-page-editing this snippet has to check permissions for itself...

[Ralph]

Any snippet code that you write will only run in the front end, so unless you're hacking the Etomite manager, that's the only place where this information is pertinent... Granted, the back end uses similar methods but they are all handled in a more long and drawn out fashion...