tutos-devel Mailing List for TUTOS

On Tue, Nov 09, 2004 at 04:21:48PM +0100, Gero Kohnert wrote:
> Hi,
> 
> Martin Slouf wrote:
> >
> >Fisrt, to sum up my knowledge:
> >------------------------------
> >
> >1. Default ACL for any new object are set using $tutos[defaultacl] in 
> >config.
> >Setting it to '2' means no setting at all. (Just a creator == owner of the
> >object can edit it.)
> 
> NO. TUTOS is using the default permissions that are defined in the 
> user_new dialog (see setion "defaultgroups for new objects".
> 

i knew that one, just forget about it (probably i mentioned that below)

> >2. TUTOS allows to set ACL to any existing object (in case i have right to 
> >set
> >them) to any user or team i have a privillage to "Use" or to any team i am 
> >a
> >member of.
> 
> Yes.
> 
> >3. There is no GUI to set / change permissions for a group of objects. 
> >(Anyway,
> >is there anyone who tried direct database ACL changes for groups of object?
> >Can i hear about their experience?)
> 
> NO. On adminpage you have a "Permissions Overview" link to 
> acl_overview.php. There you have a way for massupdating permissions. 
> This is normally only visible to admins.
> 

great! thx.

> 
> >Second, my requirements:
> >------------------------
> >
> >An example:
> >
> >A secretary needs to see/use/edit all the contacts and appointments that 
> >are /
> >will be in the system.  But she can't see/use/edit/delete any projects, 
> >neither
> >anything else.
> >
> >I hope, there is no need to mention, that there are several roles (actors 
> >in
> >UML) like that (chief, admin, secretary, developer, ...) in any real 
> >company,
> >which would find such a settings helpfull.
> 
> You can create roles that reflect the roles. Those teams are used in the 
> default acl settings. So all new objects will have permissions according 
> to the default settings.
> example:
> 
> default acl for user A will set the USE permisison for "TEAM Secretary"
> 
> default acl for user A will set the DELETE permisison for "TEAM Chief".
> 
> user A is creating a project X
> Chief C who is member of "TEAM Chief" is allowed to delete the project X.
> Secretary D ,member of "Team Secretary" is only allowed to See and Use 
> (i.e. attach things) the project X.
> 
> Hopefully someone is integrating this example into the wiki :-) I simply 
> have no time today.
> 

- - - -

So your advice (briefly):

1. for any given role, create a team

2. set $tutos[defaultacl] == 2

3. any user in the system will have to have set the default groups for new
object (at user_new.php) to the same values, as required by the roles in the
system, cause any differences among users and their setting will break the
dependencies, causing a "team secretary" see appointments created by one user,
but not to see appointments created by another one

4. users will have to be forbidden to change their 'default group for new
objects' (by rules of the organization, cause in TUTOS it is imossible to
prohibit the access to 'Personal Settings page' (user_new.php, without source
code change of course)?)

5. any user will be assigned a role and will be member of the team representing
that role

- - - -

as i can see, it can help implement such roles, but how to avoid this:

if i want to have new object (say appointment) to be able to be used by "team
secretary", and new object (say project) to be able to be used by "team
developers", what then?

If i understand all of this well, to set "default groups for a new object" does
not allow me to distinguish among objects (appointments vs. projects) but it is
applied to any new object (appointmens as well as projects); so, to conlude i
think that the setting is not possible with the approach you suggest? pls, tell
me that im wrong! :)

the solution i have suggested in previous message allowed such a setting, but
it was hard to maintain.

m.

Hi,

Martin Slouf wrote:
> 
> Fisrt, to sum up my knowledge:
> ------------------------------
> 
> 1. Default ACL for any new object are set using $tutos[defaultacl] in config.
> Setting it to '2' means no setting at all. (Just a creator == owner of the
> object can edit it.)

NO. TUTOS is using the default permissions that are defined in the 
user_new dialog (see setion "defaultgroups for new objects".

> 2. TUTOS allows to set ACL to any existing object (in case i have right to set
> them) to any user or team i have a privillage to "Use" or to any team i am a
> member of.

Yes.

> 3. There is no GUI to set / change permissions for a group of objects. (Anyway,
> is there anyone who tried direct database ACL changes for groups of object?
> Can i hear about their experience?)

NO. On adminpage you have a "Permissions Overview" link to 
acl_overview.php. There you have a way for massupdating permissions. 
This is normally only visible to admins.


> Second, my requirements:
> ------------------------
> 
> An example:
> 
> A secretary needs to see/use/edit all the contacts and appointments that are /
> will be in the system.  But she can't see/use/edit/delete any projects, neither
> anything else.
> 
> I hope, there is no need to mention, that there are several roles (actors in
> UML) like that (chief, admin, secretary, developer, ...) in any real company,
> which would find such a settings helpfull.

You can create roles that reflect the roles. Those teams are used in the 
default acl settings. So all new objects will have permissions according 
to the default settings.
example:

default acl for user A will set the USE permisison for "TEAM Secretary"

default acl for user A will set the DELETE permisison for "TEAM Chief".

user A is creating a project X
Chief C who is member of "TEAM Chief" is allowed to delete the project X.
Secretary D ,member of "Team Secretary" is only allowed to See and Use 
(i.e. attach things) the project X.

Hopefully someone is integrating this example into the wiki :-) I simply 
have no time today.



more maybe later


Gero

Hi to all of you at tutos-devel list,

this is my first contribution to this list.

I have several questions on proper ACL settings.

Fisrt, to sum up my knowledge:
------------------------------

1. Default ACL for any new object are set using $tutos[defaultacl] in config.
Setting it to '2' means no setting at all. (Just a creator == owner of the
object can edit it.)

2. TUTOS allows to set ACL to any existing object (in case i have right to set
them) to any user or team i have a privillage to "Use" or to any team i am a
member of.

3. There is no GUI to set / change permissions for a group of objects. (Anyway,
is there anyone who tried direct database ACL changes for groups of object?
Can i hear about their experience?)

Second, my requirements:
------------------------

An example:

A secretary needs to see/use/edit all the contacts and appointments that are /
will be in the system.  But she can't see/use/edit/delete any projects, neither
anything else.

I hope, there is no need to mention, that there are several roles (actors in
UML) like that (chief, admin, secretary, developer, ...) in any real company,
which would find such a settings helpfull.

Third, solution:
----------------

The problem i see is that TUTOS ACL covers not only the functionality, but also
the unique objects -- to have a privillage to edit the contacts does not mean
automatically, that i will be able to edit a given contact, unless i have a
privillage to do so with that _given_ contact.  To have that priv, (1) i have
to be a owner / creator == controller, (2) i have to be explicitly allowed to
do so by that object controller, or (3) '$tutos[defaultacl] == 2' and i have
been allowed to do so explicitly or by a team membership at controller's
user_new.php form.

The systems i experienced so far usually covered only the functionality privs
-- ie. the priv to 'edit the contacts' once assigned, meant to edit all the
contacts that were in the system, no matter who controled (created/owned) them.

I see, that TUTOS ACL system is somewhat like the OS unix file permissions, but
it lacks at least the operations over a group of objects -- in unix i can
easilly create a new group, i can easily change permissions for this group and
i can easily add / remove several objects into / from this group. (though i
left the problem of creation of new objects behind.)

The only possible solution in TUTOS, i have found so far:

* $tutos[defaultacl] = 2

* users have no permissions at all

* there exists several special groups of users (teams) with permissions set

* adding a new user means:

  - give no permission at all (see above)

  - for new object explicitly select (see $tutos[defaultacl]) how to use them
  (select desired teams defined above)

  - add this user to all the desired teams (as in previous step)

When all of this is set up, a secretary (no permissions by herself, but being a
member of a "manage_contacts" team) can plan an appointment for a chief (no
permissions by himself, but being also a member of a "manage_contacs" team),
who can see it and edit it (in case team "manage_contacts" can see and edit
appointments).

This solution i found i dont consider being an elegant one.  It has several
disadvanteges:

* complete several steps to manage a simple usefull thing (to allow somebody
access only to allowed area of current and future objects)

* lot of precission and self control in privillege system

* lot of teams serving only for proper permission settings

* requirements on users -- they have to understand it a bit in order not to
change their default permissions on their settings page.

* not error proof -- even an advanced user can break something quite easily

- - - -

I will be gratefull for any comments, success stories :), better solutions or
even commiting, that there is no better way.

Thank you.

Regards,

Martin Slouf.

I am working on the problems, a few, and will solve
them in my next weekend :), I have added a menu maker
from the left-side maker contents, I must just improve
the code.

Best Wishes,
KMZ


--- Gero Kohnert <gok...@us...>
wrote:

> Kaveh Mousavi wrote:
> > {Screenshot has been attached.}
> 
> Looks very interessting.
> 
> > I designed a new layout and added JavaScript menus
> to
> > the tutos and removed the left side bar that in my
> > opinions was cause of many confusion and space
> > problems that make my developers repel from the
> tutos
> > system.
> 
> Wha have you done with pages like "Project Overview"
> where we have a 
> form in the left side menu (this stopped me when I
> was thinking about 
> such a system).
> 
>   > What do you think, Should we commit this new
> layout to
> > the system.
> 
> Sure if it works on all pages and we can reach all
> the functions.
> 
> 
> 
> 
> Gero
> 
> 
>
-------------------------------------------------------
> This SF.Net email is sponsored by:
> Sybase ASE Linux Express Edition - download now for
> FREE
> LinuxWorld Reader's Choice Award Winner for best
> database on Linux.
>
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
> _______________________________________________
> TUTOS-devel mailing list
> TUT...@li...
>
https://lists.sourceforge.net/lists/listinfo/tutos-devel
> 



		
__________________________________ 
Do you Yahoo!? 
Check out the new Yahoo! Front Page. 
www.yahoo.com 
 

Javier Linares wrote:
> 
> Attached you'll find the first revision to the stable branch. There are
> still modules without translation, but that's just a beginning. If needed,
> I can open an account on SF and commit changes by myself.
> 
Thanks !
Today I have added the changes to both Branches and committed back to CVS.


Gero

Kaveh Mousavi wrote:
> {Screenshot has been attached.}

Looks very interessting.

> I designed a new layout and added JavaScript menus to
> the tutos and removed the left side bar that in my
> opinions was cause of many confusion and space
> problems that make my developers repel from the tutos
> system.

Wha have you done with pages like "Project Overview" where we have a 
form in the left side menu (this stopped me when I was thinking about 
such a system).

  > What do you think, Should we commit this new layout to
> the system.

Sure if it works on all pages and we can reach all the functions.




Gero

{Screenshot has been attached.}

I designed a new layout and added JavaScript menus to
the tutos and removed the left side bar that in my
opinions was cause of many confusion and space
problems that make my developers repel from the tutos
system.

I got a screenshot to show the first result.

What do you think, Should we commit this new layout to
the system.

The javascript menu has been embedded from:
http://sourceforge.net/projects/phplayersmenu/

It is a free (GPL) code.

Best wishes,
KMZ


		
__________________________________ 
Do you Yahoo!? 
Check out the new Yahoo! Front Page. 
www.yahoo.com 
 

Hi, 

Should these themes CSS files commited to the project,
The INPUT tag border problem has been solved, and also
Textarea style has been added,
==
Four style sheet file has been attached.
==


Besides, I need to add a forum to the project, Do you
have any related task under development that I can
help or I must start a new one?


Best Wishes,
KMZ


		
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail