HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


Security permissions

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#21975 (In Topic #5293)
Avatar

Community saint

The security permisisons are somewhat "cloudy" (Unclear) in the Access Control and Privileges help document

The document shows some screens which I have not found. I refer firstly to the following edit category.. (I tried uploading screen shot but the upload browse button went into a  shaded mode and it wont let me post the upload file in this post.

I have found edit category in ">admin>Structure\forums\category

Where you talk about a type of permission screen it would be great to display the directory strings to get there or show the admin icons as smaller icons with arrows (Page Permissions and Key Match Permissions (>admin>Security\Global Specific permissions)







Back to the top
 
Posted
Rating:
#21976
Avatar

Community saint

The file!!

461 views (31 Kb)
Back to the top
 
Posted
Rating:
#21979
Avatar

Thanks, noted for the future. I'll look into that upload problem too.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#22031
Avatar

Community saint

Chris Graham said

Thanks, noted for the future. I'll look into that upload problem too.
 

Chris I couldnt replicate the upload issue today on our test site. The upload appears to happen (at least the browse button is shaded) after you hit "preview" and a second upload dialogue box is shown… I would have thought the upload would only happen after you selected "New Post". I assume this is the case.

However I spent a considerable time looking into security and permissions on ver 3 today and this evening and have started to make a summary document for your review. It is by no means complete but the concepts and outline have allowed me at least to understand some of the things that are going on that deal with the quite vast security in the system.

The reason I wrote this was that I found it extremly difficult to follow your concepts from your help files compared to what went on in the actual screens. Particularly around forums, groups, additional permissions in groups, preset groups. You have a lot of things that are displayed on screen that dont appear to have discussion in either of the the two security help files in a manner that is clear enough ,…. especially in relation to roles, permissions, etc for the Forums. The two URL's are obviously a bit out of date or have not kept up with the release and in my view should be combined to one clear document on security and permissions broken up into key sections. The menu should follow the sections. All security icons and access to security sections should be in the one admin console "security". There are bits in forum (Edit) and bits in other places.

If this document helps anyone else let me know and I might spend some more time extending it. Or if anyone can add to it great… I would like to see some notes throughout the help files indicating if the concept relates to a page or a zone or multiple pages or multiple zones or the site as I know that some of the permissions are system wide, some are zone wide, some are page wide,some are group wide , some are forum only specific etc and which security is applied to what part is hard to follow. (In my view anyway)… You have already said previoulsy you are prepared to put in some paths to where the actual operatoion takes place. That would help a lot.

The document has red sections which need some clarity and I would very much appreciate some additional explanations or sending me to other documentation.

Thanks :thumbs:



Attachment
Back to the top
 
Posted
Rating:
#22058
Avatar

Hi,

It's a bit too late for me to take this in fully now, but I'll try and quickly address any issues/questions. It's great that you've written this document - I'm sure other users would be happy to have alternate documents to read like this one, so if you added it to our download system we'd validate it.

The first thing that comes to mind is I think you have developed a misconception:
The edit category screens are no longer important or special at all for editing permissions. They used to be the only way to edit permissions, but now they only serve as a conveniant shortcut for those wanting to edit permissions at the same time as editing other details relating to the categories.
Instead, you should use the Permissions Tree Editor, which allows you to edit just about anything, and is the unified interface you said we should have.

Global Specific Permissions Editor - this module is not discussed or mentioned in detail in either help file on permissions.

The editor itself is very simple - the complex bit is specific permissions themselves. I think you've missed a large part of the documentation - check out the "Advanced Configuration" tutorial :). I agree that this could be reorganised as you suggest.

The post will be vetted by? (Site moderator? Group leader?

These preset permissions are shortcuts. The 'vetted' bit actually translates into the 'bypass validation' specific permissions. Anyone with permission to both edit and to bypass validation, can in effect, vet.

The group leader has to be a member of the group also I would have thought.

Whilst that makes sense to us humans, it's not necessary for any technical reasons, so ocPortal won't enforce it.

Like what exactly need to list all

I agree.

Low: forum posts, cedi posts, calendar events

Mid: download, iotd, poll, banner, catalogue entry, authors, forum topics

High: current iotd, current poll, quizzes/surveys/competitions, comcode pages

Where is high visibility mentioned  or offered in a pull down switch in the forum security editing screens and what does it do?

As a forum only contains posts (low) and topics (mid), there is nothing that 'high' would work against, and hence ocPortal doesn't show it as something available for overriding in a forum.

What is the difference between submit lowrange and edit own lowrange  

A practical example:
  • you'd need 'submit lowrange permission' to post on the forum. Usually this would be granted globally. However company sites may not want it global, so instead override the forumview module so that 'submit lowrange permission' is available in that module and nowhere else. If they had a news forum then they'd probably override that to explicitly remove 'submit lowrange permission' permission for all except staff usergroups.
  • you'd need 'edit own lowrange permission' to edit your own forum posts. Therefore the staff would likely be happy to grant that permission. However they would not grant 'edit lowrange permission' because the staff would not want you to be able to edit anybody's posts.

Is there a specific list of what each default account can and cannot do?

There is virtually nothing that isn't decided by permissions. You can see virtually all of the permissions in the Permission Tree Editor, which has a special feature for allowing you to see an overview of the permissions for individual usergroups at a glance.

A Guest gets an internal error on entering the chat lobby (On most OC default sites I have reviewed)

You've found a bug - this will be fixed in the next release.

I hope that helps you :). Checking out the 'Advanced Configuration' tutorial should definitely be a big help to you.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#22063
Avatar

Community saint

You need to give up sleeping !!  :shake:
Back to the top
 
Posted
Rating:
#22064
Avatar

Community saint

"quote">The group leader has to be a member of the group also I would have thought.

Chris says —> Whilst that makes sense to us humans, it's not necessary for any technical reasons, so ocPortal won't enforce it.

Response –> I think OC should enforce the rule. It doesn't make any sense at all to have a group leader assigned to a group that he or her is not a member of. That breaks all security valadation rules. You could easily assign a non member to a closed group where the member is not supposed to be involved with.

I haven't tested if a member added to a  group in this way as the "group leader" can actually see the group in forums (Where they are not actually a member of that group) but assume they might based on yr reply. I also assume the "group leader" role can only add and delete members from the forums that group is assigned to and not able to edit posts or move threads to other forums.

If the group where the member was incorrectly added to as a "group leader" was assigned to many forums then you could end up with a  lot of closed forums having incorrect members added by a non scrupulous "group leader".

Its quite easy to assign the wrong member to a group if you spell a member name wrongly as its a free format entry screen and that might need resolution one day. certainly a pop up to say "Warning this member is NOT a member of the group you are making them a group leader for" "Do you wish to contine?"

 :|
Back to the top
 
Posted
Rating:
#22087
Avatar

I think OC should enforce the rule. It doesn't make any sense at all to have a group leader assigned to a group that he or her is not a member of.

On some thought, I do now actually think it makes sense. For instance, in an Orchestra forum, someone might lead the 'Violinst' usergroup (e.g. the conductor) but not themselves be a violinist. Here I might lead the customer group, but not myself be a customer.

see the group in forums

I think by 'seeing the group', you mean 'taking on the permissions of that group' and thus seeing what that group might only be able to see due to the extra view permissions.
The group leader does not automatically take on permissions from a group they lead - so no they couldn't, unless they were also in the group.
That said, as the leader they could add themselves to the group.

I don't think there's an extra security problem here: you could just as easily add the wrong user to a group as you could set the wrong leader. I'd advise anyone to copy and paste the usernames into the boxes to avoid making mistakes.

add and delete members from the forums that group is assigned to

I think there may be some confusion here. A group isn't assigned to anything in ocPortal, and there is no direct relationship between members and forums. Members and permissions are assigned to groups.

certainly a pop up to say "Warning this member is NOT a member of the group you are making them a group leader for" "Do you wish to contine?"

I think that's a good idea, and I'll add it to the next patch release.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
There are too many online users to list.
Control functions:

Quick reply   Contract

Your name:
Your message: