Dizkus

Checking in the code, I can't see where it checks permissions on the category and it doesn't seem to work in practice

I see the $permFilter being set, but that's for the

Stories::Story Author ID:Category name:Story ID

component and instance.

The code doesn't seem to check for:

Stories::Category Category name::Category ID
tried as Stories::Category (with and without name)::33

I've also tried:

Categories::Category Category ID:Category Path:Category IPath
as Categories::Category 33::

In every case, a story set with category 33 still shows up for all users. And yes, the NONE permission is applied ABOVE any generic permissions such as read/comment (actually just below the admin permission).

Can anyone confirm that there is no functional permission check on categories in the News / Stories module? (RC3 + 3/5/08 SVN)

OK, I've just added some category filters to the main CategoryUtil class (the filtering is done against the OVERVIEW permission level). This means that filtering is now done on the following permission rule:



Can you please get the latest SVN version of includes/pnobjlib/CategoryUtil.class.php and check if you can now work with these filters? Please report your findings back here.

Greetings/Thanks
R

Thanks rgasch,

I'll take a look today and report back on the 'Categories::Category' => 'Category ID:Category Path:Category IPath' route.

I'm guessing the Stories::Category Category name::Category ID is DEPRECATED, right?

Going forward, especially for module devs, is there an example of filtering on a category WITHIN a module (rather than using a 'Categories::Category', using modulename::Category) and how to implement for that?

Thanks,
NCM

Still no go...

I can't get any permissions to work on News items using .8 categories.

I've tried every component / instance combo I can think of.

Where exactly does the filtering on .8 categories occur? I still see nothing in the code that would restrict News items based on categories.

selectObjectArray is how the news items are called in pnuserapi.php via function get_all.

I'm not trying this in my own code - merelyh going by the components and instances published in the permissions admin. One is:

Stories::Category Category name::Category ID

Another is:
Categories::Category Category ID:Category Path:Category IPath

Neither of these seem to work as intended. They either need to be removed from the permissions definition or somewhere, the permission check based on category needs to be done.

Can anyone else actually set a news story to a category, then set a permission of NONE to that category, and have it actually restricted?

NCM

Just to clarify,

Universal permissions on categories do not work - just tried on FAQ as well.
Stories::Category component of permissions do not work.

I thought that .800 could restrict content by universal categories, but I do'nt see any relevant checks taking place. I'm using just the simplest form I can:

Create a category in the global - say category name = ThisCat with ID 33.
Create FAQ and news story and set to this category.

Create permission with:

All Groups Categories::Category 33:: NONE
Place this directly below top admin permission.

Visit site not logged in - still shows all category 33 content in FAQ and news.

I'm just wanting confirmation that either:

a - something is broken, it should work this way
b - is not possible,
c - even Stories::Category component will not work

Any thoughts? comments?

NCM

Hi,

please check that you have the most recent version (from SVN) of includes/pnobjlib/CategoryUtil.class.php. You should see the following code in the function getCategories() (at line 79):



If you have this code and can't get the universal categories permissions to work, I'll take a more detailed look at *why* you can't get this to work. If you don't have this code, please grab the latest version CategoryUtil.class.php and re-test.


Greetings/Thanks
R

I've tidied some of the internal news module permission checking and fixed the entries in pnversion that populate the permissions module popup. These new reflect that permissions for categories are in the categories system itself not within the module.

-Mark

Thanks Mark, I think that will be helpful to users.

Rgasch,

Ok...now, the category itself is being excluded but not the content that is within the category?

Example:

News item with category of MEMBERONLY
MEMBERONLY permissions set to
ALL GROUPS Categories::Category MEMBERSONLYcatid:: NONE
(MEMBERSONLYcatid replaced by actual id)

A user with permissions for the category (MEMBERS Categories::Category MEMBERSONLYcatid:: READ) sees on frontpage and in module News:

News
[ Front Page | Archive | Submit Article ]
MEMBERONLY: News Title

Blah Blah Blah...
------------------------------

NON-logged in or non-MEMBERS group user(hence no permission) user sees:

News
[ Front Page | Archive | Submit Article ]
News Title

Blah Blah Blah...
---------------------

Notice the only difference is that you don't see the category in front of the title. Is this all category permissions do? Hide the category itself, but NOT restrict any content that is in that category?

I thought the category system could be used to restrict content using permissions, not just hide the particular category text.

NCM

So no go? Content cannot be restricted via categories? Or is this a bug that is not working?

To summarize:

Using Categories::Category syntax I can restrict the category itself BUT NOT the content assigned to that category.

This is a step backwards, IMO, for the modules that use the new categories. .76+ era modules used topics / their own category system but you could restrict content based on those.

I'll review and fix it
each module should filter its content with its defined rules
and the general categories access check is not there currently,
but i'll add it.

Don't worry!

--
- Mateo T. -
Mis principios... son mis fines

Mateo,

So each module has to initiate its own permissions check for categories? I somehow thought if enabled for the module, the category permissions applied automatically.

Perhaps that would be something to look at for .9 - automatic filtering based on category permissions, making it a sitewide feature for modules that plugin to the categories system.

I just wanted to make sure I wasn't "missing" the point.

IMO, a system where one permission, based on the category itself, could restrict content across all modules that used the category system, would be ideal.

My impression was that this was already possible in .8, but thank you for the clarification.

I like the new category system - its very flexible and seems to work well. If this piece were included down the road, it would also be very powerful permissions wise.

So you're going to add it to the News module? If so, let me know when and I'll take a look at the code.

Again, thanks for everyone's efforts on .8 - its a great package!
NCM

Well
it seems that this feature requires some modifications in DBUtil itself. I've tried to do a temporary filter for the News module but without some help of DBUtil it's impossible, and if articles are filtered, the pager is the next problem.

Currently, the process is:
You ask to DBUtil to select some objects of the module table,
optionally you pass some permissions/category filters.
DBUtil select the adequate items,
then apply some post-process depending of the module configuration.
if Categories are enabled for that module,
they are attached to the items in the __CATEGORIES__ field with the help of CategoryUtil, but here, the Category-based permissions just prevents that this be attached to the item (as you mentioned).

We need to make this Category Permission check a pre-condition for the DBUtil query, and it's possible in this way:
Collect the "forbidden" categories in some manner (this is the big point),
and exclude the items that belongs to them (an negative category filter ).

So, have to find the manner to translate the Categories::Category + ACCESS_NONE permissions rules into categories IDs and exclude them in the DBUtil queries.

That's an idea to make this possible...

--
- Mateo T. -
Mis principios... son mis fines

Yikes...just tried to step through it myself looking at DBUtil, generateCategoryFilterWhere , etc.

I'm thinking in the _selectPostProcess of DBUtil, drop objects that don't pass a category permissions check.

You're already iterating through the objects, just throw in a good ol' security check. If no READ permissions are there, then drop that object from the array (and decrement object counts?).

As you said, the issue is counts and pages - the object counts are performed before this process.

EDIT - another consideration is parent/child categories - does a NONE permission for a parent deny all children categories, too? Intuitively it should.

Hmm...

Was this never thought about during implementation of categories? How to restrict content via category and by branch (parent branch, child leaves all restricted)? Wish the category was just a natural join to make it easier...lol

NCM



edited by: uheweb, Mar 13, 2008 - 03:12 AM

this could be ideal for eg. a calendar , so events could be viewed with categories restrictions ...



edited by: jami, Mar 20, 2008 - 06:36 PM

--
http://code.zikula.org/crpcalendar
http://code.zikula.org/crpvideo
http://code.zikula.org/crptag
http://jami.cremonapalloza.org

Mateo,

Had any time to look at this? From what I can see, its a tough one - especially with negative permissions and content that can belong to multiple categories.

$50 bounty to whoever figures out a reasonable way to do this at the DBUtil level

I'm stuck on how to handle multiple categories along with permissions that contradict - ie, NONE for one category, READ for another - need to find the overridding permission and only allow on that.

Also, what about parent / child paths? If a parent is denied...should the children be denied to? Ideally, setting permissions for a category should set them for the entire branch.

Does the current category permissions check paths, or merely ID's?

NCM