TYPO3 9.5.22
I have a TYPO3 based site with a number of department related subtrees, D1, D2, D3.
Users of department D1 are in backend group D1 and can work in the D1 Subtree via a DB mount.
Users of department D2 are in backend group D2 and can work in the D2 Subtree via a DB mount.
If a user U1D1 (Member of Group D1) creates a page in the D1 subtree, the page group owndership by the "admins" group.
This means that U2D1 can not edit pages of U1D1.
What do I have to do so pages created by U1D1 belong to group D1 instead of admins?
Any help would be greatly appreciated.
Usually, a new page would get the main usergroup of a user (probably "admin" in your case).
You can override that by setting TCEMAIN.permissions.groupid in PageTS on the specific pagetree. https://docs.typo3.org/m/typo3/reference-tsconfig/master/en-us/PageTsconfig/TceMain.html#groupid
Don't hesitate to ask if you are unsure how to add it for a specific page tree.
You can use the TYPO3 mechanism for setting default values for single fields of a record. in this case the records are pages and the default value in question is the group the page should belong to.
In case you have a complex system of user groups where multiple groups should be able to share access to the same pages it's helpful to introduce a helper group which is subgroup of the groups assigned to the users (typical for LDAP connections). in this way you have groups which own the pages, and multiple parent groups which include the owner groups.
As new pages are assigned the primary user group by default, you end up in a chaos which pages can be edited by which user. Especially if admins are involved too. Here it is necessary to assign clearly the owner group to any new pages.
more Info on the settings can be found in this SQ answer:
https://stackoverflow.com/a/60072878/6796354
You can adjust the ownership and access rights on the access-page
Related
What is the best way to separate assets in a multi site TYPO3 9.5 setup. So editors of site A do not have access to the assets of site B and vice versa. But editors with permissions to edit both sites, should have access to the assets of site A and B.
In general: try to avoid assigning anything to users directly.
Try to assign rights, acccess to BE usergroups. so you have roles which can be granted to individuals. and if someone has multiple roles he gets multiple usergroups and has the compound rights.
Be aware of some drawbacks you will not be able to avoid:
if a user has access to multiple filemounts (because of different roles) he can use these cross over.
In your case: if an user has access to filemount A for site A and filemount B for site B he also can use a file from A in the pages of B. Other editors with only access to site B may have problems to edit this.
Creating new pages might hide the new pages for other users. as TYPO3 uses a similar system of rights like the unix file system you must ensure that new pages have the correct group so other members of the group can access these pages. as normaly the first group is taken it might be the group of the other site. give all pages a default group with TSconfig in the root pages of the different sites.
.
TCEMAIN.permissions {
# the id if the BE usergroup who should be able to edit pages in this tree
groupid = 13
# now the rights for owner, group, world (1)
user = 31
group = 19
everybody = 1
}
(1) the rights are assigned bitwise:
2^0 = 1 = show page (show/Copy page and content)
2^1 = 2 = edit page (Change/Move page, eg. change page title)
2^2 = 4 = delete page (delete page or content)
2^3 = 8 = new pages (create new pages under this page)
2^4 = 16 = edit content (change/ add/ delete/ move content)
I have a table that has a long column that is a GroupCode. I can have groups of products, so to get all the product of a group I just get all the products which GroupCode is the same.
I can change a product from one group to another, and if I change a product from a group, I want that all the products of the group change to the new group.
If I use optimistic concurrency, it could happen this:
One user wants to change a product from a group, so he gets all the products with the same groupCode. Set the new new groupCode to all this products.
A second user add a new product to the group. But the first user doesn't have this product because he got all the products before the second user add the new product.
So at the end, a new product has a wrong GroupCode, because the code is not correct because all the products of the group was change to the new group. So I would have a group with only one product, and it wouldn't be correct.
With pessimistic concurrency, the first use get all the products of the group, block all the products.
The second user try to add a new product to the group, to do that, first try to get one of the products of the group as reference product, but how it is blocked by the first user, the second user has to wait.
The first user changes all the products to the new group and unblock all the products.
The second user get the reference product, that has the new groupCode, so the new product is added to the correct group.
In summary, I want that when I change a product from one group to another, I want to change all the products of the group, and avoid that a new product belongs to the old group.
Is it possible to solve this case with optimistic concurrency? Or I have to use pessimistic concurrency?
I honestly don't see the issue here. If you want to implement it as OCC, you should just follow the OCC phases.
User A gets all records which belong to group ABC
User B gets a reference to Record1, which belongs to ABC at the moment
User A moves Record1 to group XYZ
User B wants to add a new record to the group to which Record1 belongs. So just before inserting the record, get the group of Record, which is now XYZ
This is assuming that you go with the 'referential record' approach. If your screen (or whatever) just lists the currently available groups, and meanwhile one of those groups becomes empty (because you have moved all records to another group), there is no way of telling if that's a concurrency issue or it is working as expected. In such case, you should normalize your database and split the categories into a separate table, so that at least the user gets an error that the group no longer exists.
I created an attribute set and attribute groups with attributes in it. In the admin panel the attributes are listed in groups, like i created them. But on the front productpage all the attributes are listed together, without displaying the attribute group name first.
I would like to display the Attribute Group Name on the product page (more information tab), before the attributes in this group. How do i do that?
There is no way to do this by default in Magento 2.
There are a few ways I can think of to acheive this. Perhaps best would be to extend the getAdditionalData() method in /Block/Product/View/Attributes.php so that it adds the attribute group name (or id) to the returned array.
You would then need to create a local copy of Magento_Catalog/templates/product/view/attributes.phtml and iterate the array returned by the modified getAdditionalData() method sorting it according to the group name and then output the data with group name headings.
I'd be interested to hear of other or best practice approaches to this type of relatively simple extended functionality in Magento 2.
I have created an Organization which has four user groups. I want to restrict the user group to view the file uploaded by the other user group.
i.e
Organization 1
User Group 1
A
B
User Group 2
C
D
User Group 3
E
F
User Group 4
G
H
I am using CustomLanding hook to land on the organization page.
From above, If A uploads a document, it can be viewed only by B in user group 1.
Like the same I want to restrict the viewable condition to other groups also.
Please guide me to achieve this.
Regards,
Dinesh.
you can create different roles for the user and apply permission for role.
Instead of taking as user group with in organization we have teams. you can try with teams.
IBM DB2 has nice LBAC (label based access control) policy. I am not facing problem when creating or using these policies from within the query browser. However, my requirement is a bit different. Using LBAC, let us say that I have created the required security labels and assigned them to the columns and rows in the database tables. Now, Given the access control for the user, I want to find out if a particular label is accessible to that user.
DB2 will internally figure it out and produce the desired results, however I need some solution which would tell me if a particular column/row is accessible to the user, if I am given the user's access level along with the security labels for each column/row. I need some method which does the following:
Find out the security labels for a column [I can do this]
Find out the access controls allowed to the user [I can do this]
Tell if these security labels are accessible for the user [I do not know how to achieve this]
Consider this example:
My sample component:
/*Create the component*/
CREATE SECURITY LABEL COMPONENT ORG_DIVISIONS
TREE ('ORGANIZATION_ADMIN' ROOT, --The admin will have the complete access
'SALES' UNDER 'ORGANIZATION_ADMIN', --The sales department will have acess to the financial information for each unit
'RESEARCH' UNDER 'ORGANIZATION_ADMIN', --The research division will have access to technical specs and design along with certain financial information
'RSM1' UNDER 'RESEARCH', --The research manager 1 will have access to certain design and technical specs and certain financial information (depending on the project he is undertaking)
'RS_ENGG1' UNDER 'RSM1', --The research engineer 1 will have access to certain technical specs (depending on the project he is undertaking)
'MANUFACTURING' UNDER 'ORGANIZATION_ADMIN', --The manufacturing unit will have access to design along with certain financial information
'MFM1' UNDER 'MANUFACTURING', --The manufacturing division manager 1 will have access to certain designs along with certain financial information (depending on the project he is undertaking)
'MF_ENGG1' UNDER 'MFM1' --The manufacturing division engineer 1 will have access to certain designs (depending on the project he is undertaking)
)
My sample policy for the component:
/*Create the policy*/
CREATE SECURITY POLICY ORGANIZATION_POLICY
COMPONENTS ORG_DIVISIONS
WITH DB2LBACRULES
RESTRICT NOT AUTHORIZED WRITE SECURITY LABEL
My sample set of labels:
/*Create the labels from the policy components*/
CREATE SECURITY LABEL ORGANIZATION_POLICY.ORGANIZATION_ADMIN
COMPONENT ORG_DIVISIONS 'ORGANIZATION_ADMIN'
CREATE SECURITY LABEL ORGANIZATION_POLICY.SALES
COMPONENT ORG_DIVISIONS 'SALES';
CREATE SECURITY LABEL ORGANIZATION_POLICY.RESEARCH
COMPONENT ORG_DIVISIONS 'RESEARCH';
CREATE SECURITY LABEL ORGANIZATION_POLICY.RSM1
COMPONENT ORG_DIVISIONS 'RSM1';
CREATE SECURITY LABEL ORGANIZATION_POLICY.RS_ENGG1
COMPONENT ORG_DIVISIONS 'RS_ENGG1';
CREATE SECURITY LABEL ORGANIZATION_POLICY.MFM1
COMPONENT ORG_DIVISIONS 'MFM1';
CREATE SECURITY LABEL ORGANIZATION_POLICY.MF_ENGG1
COMPONENT ORG_DIVISIONS 'MF_ENGG1';
My sample user:
/*Use the defined policies and grant accesses to the users*/
GRANT SECURITY LABEL ORGANIZATION_POLICY.RSM1
TO USER someone FOR ALL ACCESS;
Now, since I defined a tree component, the user someone will have access to entities which are labeled RSM1 or with its children labels (RS_ENGG1 in this case). DB2 knows this and will present me the relevant results if login as user someone and fire queries. But the question is, how can I (as an admin) know which columns/rows would be accessible to user someone? Can this information be retrieved from some security table or figured out somehow?
Regards,
Salil Joshi
I could not find any solution to this problem. What I ultimately did was to find out the security components of the type 'Tree' and 'Array', list their components, and re-constructing the equivalent tree in Java.
1) Find out the labels granted to the user
SELECT
A.grantee
,B.secpolicyname
,c.seclabelname
FROM
syscat.securitylabelaccess A
,syscat.securitypolicies B
,syscat.securitylabels C
WHERE
A.seclabelid = C.seclabelid
AND A.secpolicyid = B.secpolicyid
AND B.secpolicyid = C.secpolicyid
2) Find out the array and tree component elements:
For trees:
SELECT
D.secpolicyname
,B.elementvalue
,B.parentelementvalue
FROM
syscat.securitylabelcomponents A
,syscat.securitylabelcomponentelements B
,syscat.securitypolicycomponentrules C
,syscat.securitypolicies D
WHERE
A.compid = B.compid
AND A.comptype = 'T'
AND A.compid = C.secpolicyid
AND C.secpolicyid = D.secpolicyid
For arrays (note: I could not find the order in which the elements were inserted in the array, but found that doing a selection (select *) rather than projection (select A.a, B.b, ...) helps here. Any better solutions are welcome):
SELECT *
FROM
syscat.securitylabelcomponents A
,syscat.securitylabelcomponentelements B
,syscat.securitypolicycomponentrules C
,syscat.securitypolicies D
WHERE
A.compid = B.compid
AND A.comptype = 'A'
AND A.compid = C.compid
AND C.secpolicyid = D.secpolicyid
3) Generate the list of labels allowed for the user using the above constructs.
One small problem here is that the component elements and the labels created from them might not have same name, and I could not find any mapping for them. I have posted this problem here for the same.