Re: [Tiki-devel] Tiki9 testing - category admin not showing all thepermissions available

Hi Xavi,

In structures, when creating a new page, the direct object permissions will be inherited for users with either admin permissions or edit-page + edit-structure permissions.

The inherited permissions are copied from the “parent” page.

To test… for a user without global editing rights, grant direct permissions on a structure page. (edit-page and edit-structure rights).

When the user creates a new structure page (using “Add Page”), the new page will also be editable for the same user, since the direct permissions are inherited.

Thus a user should be able to edit the page tree, given permissions to a single root page.

Note that direct object permissions override all other permissions settings, and that this functionality should be used with care.

In the wiki admin the copying of these direct permissions can be disabled.

Hope this helps

Note that Geoff’s problem mentioned below is not exactly the same, but is fixed/included in the same commit, due to a change in the underlying permission check function.

Arild

Arild, what should be done (if structure permissions are not modified to allow object permissions at structure level, regardless of global permissions on structures), so that a non-admin users can be granted permissions to edit 1 structure, but not all the others...

I'm willing to test, but I don't6 fuly get what is the expected procedure, without object perms on structures, that this behavior can be achieved.

Any pointers appreciated.

Xavi

P.S. I've been pursuing to have permissions on local structures in tiki sites since a few years ago already ... (I'm very concerned with this limitation in tiki already with structures; and imho, this should be achievable without using categories in an optimum tiki implementation)

On 05/05/12 09:38, Arild Berg wrote:

Hi Geoff,

The regression/bug you are referring to should have been fixed.

The check sent 2 paramaters to the tikilib function user_has_perm_on_object  to verify the access.

However, this function only accepted 1 parameter. The second one, the edit_structure permission, was ignored.

The user_has_perm_on_object  now accepts 3 permissions , and the check should work OK.

Please give it a try.

I don’t think it’s correct to put structure permissions at an object level.

The same permissions, I believe, are also used when editing the structures in the admin structure panels.

There I am not sure an object applies. Unless we look at the individual structure being worked on (and not on the tools). I guess that could work.

If changed which permission would then limit the access to the tools?

To me it seems best to keep structure permissions global.

I hope that you problem case is already solved, and we don’t need to re-work the structure permissions.

Arild

OK - I think I understand, some permissions are 'deemed' to only be global and this is set in lib/userslib.php where 'scope' is set to 'global' for just global/group permissions and 'object' for either category of individual object permissions - but just doing this doesn't mean that the right checks/tests are done throughout the code

My specific interest at present is the edit_structures permission which I think should have 'object' 'scope' but is just 'global' at present. The reason for this is a regression/bug I noted on 2nd April

WYSIWYCA problem with Structures. If a user does not have the tiki_p_edit_structures permission they should not be able to see the Add page/child tools in the structure bar at the top of the page - but they can. The "tiki-wiki_structure_bar.tpl" template needs to be updated to do a more complete check that the user does have the tiki_p_edit_structures permission for the specific page observing any categorisation, before displaying the Add page/child tools.

The specific use case I want to cover is not just whether the user has global permission but also the situation where an individual page within a Structure is categorised and does not allow the user access to the Structure edit tools

If no one objects I will change the scope for this permission in trunk so it can be included in categories and then I'll take it from there to try and sort out the checks.

cheers

geoff

From: Louis-Philippe Huberdeau [mailto:lphuberdeau@...
Sent: 04 May 2012 17:05
To: Tiki developers
Subject: Re: [Tiki-devel] Tiki9 testing - category admin not showing all the permissions available

Still has to be tested... changing hte scope does not mean the permission is checked at the right level.

--
LP

No virus found in this message.