Checking in the code, I can't see where it checks permissions on the category and it doesn't seem to work in practice

I see the $permFilter being set, but that's for the

Stories::Story Author ID:Category name:Story ID

component and instance.

The code doesn't seem to check for:

Stories::Category Category name::Category ID
tried as Stories::Category (with and without name)::33

I've also tried:

Categories::Category Category ID:Category Path:Category IPath
as Categories::Category 33::

In every case, a story set with category 33 still shows up for all users. And yes, the NONE permission is applied ABOVE any generic permissions such as read/comment (actually just below the admin permission).

Can anyone confirm that there is no functional permission check on categories in the News / Stories module? (RC3 + 3/5/08 SVN)

OK, I've just added some category filters to the main CategoryUtil class (the filtering is done against the OVERVIEW permission level). This means that filtering is now done on the following permission rule:



Can you please get the latest SVN version of includes/pnobjlib/CategoryUtil.class.php and check if you can now work with these filters? Please report your findings back here.

Greetings/Thanks
R

Thanks rgasch,

I'll take a look today and report back on the 'Categories::Category' => 'Category ID:Category Path:Category IPath' route.

I'm guessing the Stories::Category Category name::Category ID is DEPRECATED, right?

Going forward, especially for module devs, is there an example of filtering on a category WITHIN a module (rather than using a 'Categories::Category', using modulename::Category) and how to implement for that?

Thanks,
NCM

Still no go...

I can't get any permissions to work on News items using .8 categories.

I've tried every component / instance combo I can think of.

Where exactly does the filtering on .8 categories occur? I still see nothing in the code that would restrict News items based on categories.

selectObjectArray is how the news items are called in pnuserapi.php via function get_all.

I'm not trying this in my own code - merelyh going by the components and instances published in the permissions admin. One is:

Stories::Category Category name::Category ID

Another is:
Categories::Category Category ID:Category Path:Category IPath

Neither of these seem to work as intended. They either need to be removed from the permissions definition or somewhere, the permission check based on category needs to be done.

Can anyone else actually set a news story to a category, then set a permission of NONE to that category, and have it actually restricted?

NCM

Just to clarify,

Universal permissions on categories do not work - just tried on FAQ as well.
Stories::Category component of permissions do not work.

I thought that .800 could restrict content by universal categories, but I do'nt see any relevant checks taking place. I'm using just the simplest form I can:

Create a category in the global - say category name = ThisCat with ID 33.
Create FAQ and news story and set to this category.

Create permission with:

All Groups Categories::Category 33:: NONE
Place this directly below top admin permission.

Visit site not logged in - still shows all category 33 content in FAQ and news.

I'm just wanting confirmation that either:

a - something is broken, it should work this way
b - is not possible,
c - even Stories::Category component will not work

Any thoughts? comments?

NCM

Hi,

please check that you have the most recent version (from SVN) of includes/pnobjlib/CategoryUtil.class.php. You should see the following code in the function getCategories() (at line 79):



If you have this code and can't get the universal categories permissions to work, I'll take a more detailed look at *why* you can't get this to work. If you don't have this code, please grab the latest version CategoryUtil.class.php and re-test.


Greetings/Thanks
R

I've tidied some of the internal news module permission checking and fixed the entries in pnversion that populate the permissions module popup. These new reflect that permissions for categories are in the categories system itself not within the module.

-Mark

--
Visit My homepage and Zikula themes.

Thanks Mark, I think that will be helpful to users.

Rgasch,

Ok...now, the category itself is being excluded but not the content that is within the category?

Example:

News item with category of MEMBERONLY
MEMBERONLY permissions set to
ALL GROUPS Categories::Category MEMBERSONLYcatid:: NONE
(MEMBERSONLYcatid replaced by actual id)

A user with permissions for the category (MEMBERS Categories::Category MEMBERSONLYcatid:: READ) sees on frontpage and in module News:

News
[ Front Page | Archive | Submit Article ]
MEMBERONLY: News Title

Blah Blah Blah...
------------------------------

NON-logged in or non-MEMBERS group user(hence no permission) user sees:

News
[ Front Page | Archive | Submit Article ]
News Title

Blah Blah Blah...
---------------------

Notice the only difference is that you don't see the category in front of the title. Is this all category permissions do? Hide the category itself, but NOT restrict any content that is in that category?

I thought the category system could be used to restrict content using permissions, not just hide the particular category text.

NCM

So no go? Content cannot be restricted via categories? Or is this a bug that is not working?

To summarize:

Using Categories::Category syntax I can restrict the category itself BUT NOT the content assigned to that category.

This is a step backwards, IMO, for the modules that use the new categories. .76+ era modules used topics / their own category system but you could restrict content based on those.

I'll review and fix it
each module should filter its content with its defined rules
and the general categories access check is not there currently,
but i'll add it.

Don't worry!

--
- Mateo T. -
Mis principios... son mis fines

Mateo,

So each module has to initiate its own permissions check for categories? I somehow thought if enabled for the module, the category permissions applied automatically.

Perhaps that would be something to look at for .9 - automatic filtering based on category permissions, making it a sitewide feature for modules that plugin to the categories system.

I just wanted to make sure I wasn't "missing" the point.

IMO, a system where one permission, based on the category itself, could restrict content across all modules that used the category system, would be ideal.

My impression was that this was already possible in .8, but thank you for the clarification.

I like the new category system - its very flexible and seems to work well. If this piece were included down the road, it would also be very powerful permissions wise.

So you're going to add it to the News module? If so, let me know when and I'll take a look at the code.

Again, thanks for everyone's efforts on .8 - its a great package!
NCM

Well
it seems that this feature requires some modifications in DBUtil itself. I've tried to do a temporary filter for the News module but without some help of DBUtil it's impossible, and if articles are filtered, the pager is the next problem.

Currently, the process is:
You ask to DBUtil to select some objects of the module table,
optionally you pass some permissions/category filters.
DBUtil select the adequate items,
then apply some post-process depending of the module configuration.
if Categories are enabled for that module,
they are attached to the items in the __CATEGORIES__ field with the help of CategoryUtil, but here, the Category-based permissions just prevents that this be attached to the item (as you mentioned).

We need to make this Category Permission check a pre-condition for the DBUtil query, and it's possible in this way:
Collect the "forbidden" categories in some manner (this is the big point),
and exclude the items that belongs to them (an negative category filter ).

So, have to find the manner to translate the Categories::Category + ACCESS_NONE permissions rules into categories IDs and exclude them in the DBUtil queries.

That's an idea to make this possible...

--
- Mateo T. -
Mis principios... son mis fines

Yikes...just tried to step through it myself looking at DBUtil, generateCategoryFilterWhere , etc.

I'm thinking in the _selectPostProcess of DBUtil, drop objects that don't pass a category permissions check.

You're already iterating through the objects, just throw in a good ol' security check. If no READ permissions are there, then drop that object from the array (and decrement object counts?).

As you said, the issue is counts and pages - the object counts are performed before this process.

EDIT - another consideration is parent/child categories - does a NONE permission for a parent deny all children categories, too? Intuitively it should.

Hmm...

Was this never thought about during implementation of categories? How to restrict content via category and by branch (parent branch, child leaves all restricted)? Wish the category was just a natural join to make it easier...lol

NCM



edited by: uheweb, Mar 13, 2008 - 03:12 AM

this could be ideal for eg. a calendar , so events could be viewed with categories restrictions ...



edited by: jami, Mar 20, 2008 - 06:36 PM

--
http://code.zikula.org/crpcalendar
http://code.zikula.org/crpvideo
http://code.zikula.org/crptag
http://code.zikula.org/crpcasa
http://jami.cremonapalloza.org

Mateo,

Had any time to look at this? From what I can see, its a tough one - especially with negative permissions and content that can belong to multiple categories.

$50 bounty to whoever figures out a reasonable way to do this at the DBUtil level

I'm stuck on how to handle multiple categories along with permissions that contradict - ie, NONE for one category, READ for another - need to find the overridding permission and only allow on that.

Also, what about parent / child paths? If a parent is denied...should the children be denied to? Ideally, setting permissions for a category should set them for the entire branch.

Does the current category permissions check paths, or merely ID's?

NCM

Well, the category system right now (in 0.8 SVN code, not in RC3) supports the following permission check:



So you can use this to filter on categories through generic permissions. This should enable to you filter globally on categories using the permissions rules you described in your post.

Let me know if this solves your issue.

Greetings
R

rgasch,

As I reported earlier in the thread, that merely filters the category, but doesn't restrict any content with the assigned category.

The News module is a prime example. If you set the news article to a certain category (say MEMBERSONLY with catid of 999), then put a permission of NONE on that category, the news article still shows to everyone.

ALL GROUPS Categories::Category 999:: NONE - placed above all generic permissions.

Admins see the news WITH a category:

News
[ Front Page | Archive | Submit Article ]
MEMBERONLY: News Title

Blah Blah Blah...
------------------------------

NON-logged in or non-MEMBERS group user(hence no permission) user sees:

News
[ Front Page | Archive | Submit Article ]
News Title

So, the generic permission for categories blocks the use of the category, but not the content itself that is assigned to that category.

Again, this is a step backwards from using topics/old style categories in that at least there you could block (or enable) an entire section of the site by setting permissions for certain topics. The content AND the topic were blocked.

I am using SVN and cannot filter any module content by category, just the categories themselves are filtered, but not the content with those assigned categories.

Following the code in several catagory-enabled modules, I don't see where the content ever has a category filter applied at any level - News, crpCalendar, etc.

Again, originally, I though this was a features of the new categories - where all modules that use them could have global categories and filter the modules content by using a Categories permission.

The issue is now, the original Stories Category permission no longer works (as story categories are just a part of the new categorization system) and you can't use the Categories permissions to filter content, either.

So, to clarify -

What is the intended functionality with .8? Should it, or should it not filter content by category.
If so, who else sees the same behavior I do - that the category is filtered, but the content is not.



Mateo seemed to see the problem, but as he, and I stated, there seem to be some technical problems implementing at the DBUtil level.

1. Categories are not attached to the returning data until late in the DBUtil process, so a filter does not work - would need to be done in the marshall / postProcess phase when other iterations occur and a permission check can be done on categories.

2. With multiple categories possible, how to check against multiple categories at once and determine the "highest" permission. (only applies where multi-categorization is allowed by the module).

3. If the category permission check is late in the DBUtil postprocess, then record counts are off if some returned records are dropped - affecting total record counts, paging, etc.

If this is NOT intended functionality, lets just state the limitation and make sure documentation says that categories cannot be used to filter content, merely to classify it.

I see the problem
and it can be solved extending the DBUtil's Category filter to exclude the items that belongs to forbidden categories. But i guess it's an overload if you define many permissions levels... i guess that may be for .81, or after the Google Summer of Code where i want to be a student of Robert, passing the categories to a nested way, it can be more reliable than now...

i'll keep thinking on this
see ya

--
- Mateo T. -
Mis principios... son mis fines

This has actually been fixed in SVN today

You can now have permissions like:

Unregistered / Categories::Category / 31|32:: / None

This will hide all content in News and Pages that belongs to either category 31 or 32.

If you have multiple categories for each item them you only need access to one of the categories for an item.

So a News item associated with Cat-31 and Cat-33 *will* show up with the above permissions. A News item associated with Cat-31 and Cat-32 *won't*.

Great work Jorn.
The new category stuff has delayed the final release, but there a lot of new possibities for admins to make use of cats and subcats.

--
campertoday.nl, Module development, Dutch Zikula Community