Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-30141

Wrong use of setup/administrate permission?

    XMLWordPrintable

Details

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: High High
    • None
    • None
    • None

    Description

      I was trying to debug a client install where they claimed they lost access to administrate users after recent 2.1 to 2.2 upgrade.

      These are semi admins, or power editors, so they should have access to:

      • administrate users (and all other content)

      However right now to expose that I need to grant them `setup/administrate` rights, which makes these visible as well as Users under *Admin*:

      • Languages
      • Content Types

      Which is not wanted.

      Main issue on _Users

      Possible ways of fixing it:

      • Move Users beneath *Content*, so you don't need to grant `setup/administrate`
      • Don't require `setup/administrate` to show *Admin*, but instead drop it if user does not have rights to see any sub menu items (implying we check permissions for all sub items)
      Additional issue on Languages and Content Types being shown

      Does the following make sense?

      • Change Languages menu item to check permission `content/translations` instead of `setup/administrate`
        • This is what `LanguageController` is using, however that might be for something else, as testing on this I seems to have full access to administrate languages just with `setup/administrate`, so there might be several "bugs" here.
      • Add missing permission check for Content Types, for 2.2.x use `setup/administrate` but for 2.3:
        • A. Add for instance a `class/view` in order to be able to do it, add BC note that legacy won't respect this and that it's only for platform.
          • Cavat: For cases where users are granted `class/edit` only, they now also need `class/view`
        • B. [slightly preferred] Lets adjust permission api in order to be able to ask if user has rights to any functions on a module, in this case just asking for access to `class` which could for instance return false or array of functions, in this case we can then see if return value evaluates to true before we show menu item.
          • SIDE: I can help with this one if accepted, it can be useful in many cases
          • Cavat: Unless we combine this with A, it will not be possible to grant just `view` rights if someone for some reason have a need for that.

      Attachments

        Activity

          People

            Unassigned Unassigned
            barbara.grajczyk@ez.no Barbara Grajczyk
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: