MVCSiteMapProvider: non-clickable nodes with security trimming enabled - clickable

I am using MVCSiteMapProvider, v4.6.1
This is my issue: I have a section of my menu that is visible only to Administrators. I achieve this by enabling security trimming and decorating my controllers and/or controller methods to define the trimming criteria.
AdminTasks
Add
Edit
Remove
What I need to do is to make the "AdminTasks" node non-clickable, but still visible only to administrators.
The behavior I am observing is that, if I mark "AdminTasks" as clickable="false" in the sitemap, the node show for everyone, regardless the user is an admin or not. It seems like, in nodes marked clickable='false' there is no security trimming performed.
It is my assumption, without exploring the code too much, that when the node is marked clickable='false', SiteMapProvider doesn't attempt to resolve any route (since it is not needed anyway for navigation purposes); but in doing so, it doesn't inspect the decorations in the controllers, therefore skipping security trimming.
Is my assumption correct?
Is there any way to have a non-clickable node that still is security trimmed?
Thanks

Non-clickable "grouping" nodes don't represent a controller action, so there would be no reasonable way to control security on them using AuthorizeAttribute.
However, you can use the TrimEmptyGroupingNodesVisibilityProvider to make a non-clickable node invisible when there are no accessible nodes nested within it. Therefore, if the current user doesn't have permission for any of the children of the "Admin Tasks" node, the "Admin Tasks" node will be hidden.
<mvcSiteMapNode title="Admin Tasks" clickable="false" visibilityProvider="MvcSiteMapProvider.TrimEmptyGroupingNodesVisibilityProvider, MvcSiteMapProvider">
If you have a more complex scenario than this, you could also build your own visibility provider.

Related

How to make fields invisible for stock manager in odoo10

I want to invisible particular fields to stock manager and visible for stock user and Main Administrator(one of the stock manager).
for example:
<field name ="name_ids" groups="!group_stock_manager,group_stock_user"/>
It works but this field is not visible to the main administrator.
how I make visible this field to main administrator?
The thing is that group_stock_manager inherits from group_stock_userso you cannot restrict the first while allowing access to the second group. To solve it you may need to use other group different from group_stock_user to be able to isolate the permissions for group_stock_manager that will not be inherited from group_stock_user
Like Axel was saying you need to isolate the permissions. What you would need to do in your security definitions define the access rights to the field and use base.group_user.
Then create a new security group xml for people who can see and edit the field.

Public Read and Write ACL despite all permissions being disabled

I have a class with all the permissions disabled, so it's available only to my cloud code while using the master key. But I looked at it today and I'm seeing that suddenly each of my objects has a Public Read and Write ACL.
What does it mean? I do not want anyone writing to, or reading from this class. Do I have to now set this in two different places?
I should add that this class contains information that I've added myself through the data browser. No app is writing to it.
I also found this a bit confusing and here's what I think is happening:
There appears to be the same notion of undefined for ACL's as for other cells. I think that is the default security ACL (non) value. However, when the ACL is undefined, it gets reported in the Data table viewer, under the ACL column, as "Public Read and Write". I suspect that someone at Parse decided that showing (undefined) for the ACL wouldn't do justice to informing the developers of the security risk of having no ACL for the row.
As evidence of what I'm thinking, I have noticed that when you click on an ACL cell (as if to edit), and it brings up the security dialog box for the ACL of the row, then, in the original cell itself (where you clicked, now in the background), it shows the text (in JSON) of the old ACL, if there is one actually defined, and shows (undefined) if there isn't one defined yet.
My observation is that class-specified security overrides what I'm calling the undefined ACL security setting.
IMHO, it would be better in this case if the Data view page showed something more illustrative: instead of "Public Read and Write", for example, "(undefined: see class security...).
Also, it is not yet clear to me how class security combines with row-defined ACLs (i.e. when present). If I find out one way or the other, I'll update...
(Also, fyi, sometimes it seems to me that you may have to give a few minutes before seeing security setting changes take effect.)

Error on login for backend users with custom roles

I created custom role for some users, and I assigned role to particular user with content tree limitation. Like on this image
Problem is that when that user log in, he get error like on this image. Roles are working, so user can see his assigned content tree and work with it.
How can I solved this first screen? Even redirection on his content tree would do the job.
Thank you :)
Make sure that the user you assigned the role to, also has a basic role to access basic contribution functions. I usually have a "backoffice user" role which is assigned to every contributor (or group), which includes (without any limitation) :
user/login on the admin siteaccess
content/read on at least the root node : you need to be able to get "through" that node (and others if needed) to see the ones under it
ezoe, ezjscore, ezmultiupload, ezfind, ezie etc
content/(edit|remove|...) on contents which is owned by the user himself or its group
Hope this helps

Cheating traversal

I'm developing a plone4 site on which every user have a sortable inventory of items. The ATFolder's folder_content view is ideal for this. The only problem is that instead of an URL like this:
/site/user/inventory
or this
/site/inventory/user
the url should be:
/site/inventory
I've thought in several solution, but each one have its own doubts.
Make the inventory content dynamic, depending on the authenticated user. I don't even know if this is possible on plone.
Somehow to cheat the transversal mechanism, so /site/inventory render /site/inventory/user.
Change the context before rendering the view. Again, don't know if possible.
Make inventory a subclass of ATCTContent, store the inventory data as annotation on the user and develop the ordering code all by myself. This is the option I'm trying to avoid.
What would you do?
Thanks.
Well, it'll be easy to define a inventory view that then uses the Authenticated User to render it's contents, which could be a simple delegation to an ordered folder that is stored at /site/users/user/folder.
The one thing that you have to remember is that user authentication happens after traversal. This means that when a view is instantiated (it's __init__ method is called) there is no user determined yet because that happens during traversal. Look up your user in the view __call__ or from it's template instead.
Having folder contents show contents that are not the contents of the folder is crraaaaAAAAzytalk. :) Don't do it. Either have a folder per user ( /inventory/user ) or make a custom view called inventory.html. You can make /inventory sho /inventory user but that is one step towards trying to make Plone to non-ploneish things, and that way lies a world of pain.
I don't know why you couldn't just call it /inventory/user? Seems easy enough. Then stick an action in the user viewlet, by the dashboard link, and your done! :-)
Plone is a content management system. Use it for that, as it's supposed to be used, and you'll be happy. Trying to force it to do things it doesn't want is like trying to build a sportscar out of a art deco sculpture. It might end up looking awesome, but it won't run very well. :-)

Menu router question

My question is related to a performance issue I'm experiencing using the context module with a large number of menus. The performance issue may be a result of a module I created to import a menu structure from a different CMS into Drupal. I programatically created the menu items using menu_link_save(), passing in the menu_name, link_path (node/$nid), link_title, plid, and weight. The router_path that gets assigned to these is "node/%".
My performance issue appears to be that the context module is calling menu_link_load() for every menu item that exists (there are quite a few), and from that calling node_load() because of way the router_path is set.
In trying to troubleshoot this, I see there is a router_path of "node" in the database which has a different access_callback and access_arguments than "node/%". What is the difference between these two router_paths, how do they relate to one another, and when does one get called vs. the other?
The path 'node' shows all nodes wich are set to active&frontpage, it is also the default path for your frontpage for this reason.
The path 'node/%' is for viewing 1 specific node with id = %.

Resources