Consider following scenario in Joomla user access.
I have two users; User1 and User2.
User1 mapped to Group1 and User2 mapped to Group2. Also, Group1 is mapped to View Level1.
For Article1, i set Edit, Delete permission as Allowed for Group1 (permission for all other groups as Denied) and View access level is set to Level1
So, It should let User2 to edit Article1 and User1 to view article.
Since User2 can edit will he be able to view article as well ?
Is there anyway of controlling Joomla article access per user ?
One thing is that "seeing" and "doing" are treated separately. So one place you can make a mistake is to give a user an action permission on something she can't see. On the other hand. You need to add user2 to Group 1 either directly or by inheritance i.e. make group2 inherit from group1. You could also add Group 2 to access level 1.
To control by user in the implementation in the CMS you would need to make a group that only contained that user. The only exception is "edit own."
However with plugins or with your own implementation of acl using JAccess you have the possibility to do many other approaches.
Related
In CloudCode, is there any utility function which I can determine that the current user belongs to a certain role?
Assume the following role hierarchy Admin->Manager->User
If I added user1 to the Admin role, this means if in cloud code if I query all the roles this user belongs to, then I will get immediate list of roles not hierarchy. I am wondering if there is a utility function that helps with this issue?
I have a (CRM) grid that has associated view (a) I need to add another associated view (b) to the same grid and to give different view permission (some users will see 'a' and some will see 'b') can I control these permissions on my associated grids
Based on your requirement, it looks like you don’t need two views & switch hit.
User A should have a security role A which will filter the data what he can see & cant see.
In security role A modify the Read privilege to BU level - half amber (now it may be full green - Org level)
The same security role A to User B (if they are from different BU) will work as it is. Basically role A has to be there in all BUs individually.
For my own understanding, I'm writing a Hierarchical Discretionary Access System. It is not DAC, it is more akin to Discretionary RBAC, but those details do not matter for the question at hand.
Each user has a certain Role; each Role has a certain set of permissions.
Each Role is organised in a hierarchical tree-like structure: the role named root has all permissions; child roles of root have a subset of the permission of their parent role.
Schematic views of the above:
Let's say that a user with the role named manager decides to delegate the permission named set_salary to a user with the role named programmer, who subsequently delegates this permission to the user with the role named intern.
Somebody decides to fire said user with the role named manager. As a result, the role named manager is revoked from said user. What is more, all permissions delegated by said user also need to be revoked.
So my question is:
Is there a data structure which facilitates easy identification of:
the chain of permissions delegated by a certain subject within a hierarchical tree structure;
whether or not a certain permission has been delegated to a certain subject?
How about an adjacency list ?
Or in other words, 'a list of linked lists', similar to how we use it in representing graphs.
Each user can be associated with a delegation linked list.
A node of the delegation linked list can be of the form <permissionId, userId>, denoting that the owner of the linked list has delegated the permission permissionId to the user userId. Then we can go through the linked list of the user userId and repeat the same process recursively until we find a user whose delegation linked list is empty.
This algorithm is basically the same as Depth-first search.
This model can't support delegation of permission per a user like you described for manager -> programmer -> intern situation. Permissions are set for a role and setting new permission for a role effects all users that has that role.
To support permission delegation per a user, new relation is needed that describes delegation. Data needed to describe it is: which user gave permission, which user received permission and permission that is delegated. Like, relation delegatedPermission with columns:
giveUserId
receiveUserId
permissionId
This question is really made of two parts.
Using Parse, I'd like to have the following [simplified] scheme, where I have Users who are part of secret groups, and there are discussion that can appear across a few groups at one. That is Users who are part of Group A also are added to the GroupA role, and have access to discussions in Group A.
My trouble is, when I create a new discussion and tell it the groups it should appear in, how do I query for the roles and add them to the Discussion as well? I'm really fuzzy on this roles/ACLs business, even after reading extensively.
User(firstname, lastname)
Group(members, secrets)
Discussion (groups, note, comments)
Create a Role when you create a Group. Assign a pointer from the Group to the Role. Set the ACL for the Group to the Role (for write, it can be public read or whatever you want). When you add users to the Group, add them to the Role so they have access through the ACL.
For your Discussion you need to add all of the appropriate Roles from all of the Groups to the ACL list so that all of the users in all of those Roles have access.
I know we can show content based on a users access level using Joomla ACL, but is it possible to show content to all users except for one specific group? If so, how?
I've tried creating an access level called news that includes all groups except no_news group then assigned my module access level of news.
Unfortunately users belonging to the no_news group were able to see the content. Any suggestions?
The no_news class is inherited from registered.
Is your no_news group inherited from Public? If so, exclude Public group from NEWS access level. Basically the idea is that if the parent group has access, then all child groups will also have.