What is the best way to separate assets in a multi site TYPO3 9.5 setup. So editors of site A do not have access to the assets of site B and vice versa. But editors with permissions to edit both sites, should have access to the assets of site A and B.
In general: try to avoid assigning anything to users directly.
Try to assign rights, acccess to BE usergroups. so you have roles which can be granted to individuals. and if someone has multiple roles he gets multiple usergroups and has the compound rights.
Be aware of some drawbacks you will not be able to avoid:
if a user has access to multiple filemounts (because of different roles) he can use these cross over.
In your case: if an user has access to filemount A for site A and filemount B for site B he also can use a file from A in the pages of B. Other editors with only access to site B may have problems to edit this.
Creating new pages might hide the new pages for other users. as TYPO3 uses a similar system of rights like the unix file system you must ensure that new pages have the correct group so other members of the group can access these pages. as normaly the first group is taken it might be the group of the other site. give all pages a default group with TSconfig in the root pages of the different sites.
.
TCEMAIN.permissions {
# the id if the BE usergroup who should be able to edit pages in this tree
groupid = 13
# now the rights for owner, group, world (1)
user = 31
group = 19
everybody = 1
}
(1) the rights are assigned bitwise:
2^0 = 1 = show page (show/Copy page and content)
2^1 = 2 = edit page (Change/Move page, eg. change page title)
2^2 = 4 = delete page (delete page or content)
2^3 = 8 = new pages (create new pages under this page)
2^4 = 16 = edit content (change/ add/ delete/ move content)
Related
I have a TYPO3 v10 instance. The felogin Extension is installed to manage 4000 users in 100 usergroups, lots of tiny projects.
Is there a feature, a trick, an extension to answer this question, while working in the backend:
For a given frontenduser-group what are the feusers that belong to that group?
There does not seem to be a way to display this in the backend. At least not in the "List" module, after clicking on any frontendgroup-name, then working in any of the standard tabs "
General / Options / Access / Notes / Extended"
Right now I get along with SQL statements like
SELECT * FROM fe_users WHERE usergroup like '%261%';
but this is very inconvenient.
I have migrated the users and groups from one old TYPO3 instance to a newer one, and now I want to enable editors to cross-check and review group memberships themselves.
The Stackoverflow "Similar questions" text-analysis tool points out that my question is indeed similar to this one: Extbase fe_user findByUsergroup - but that question is 4 Years old, and perhaps there has been some progress?
I know of such "included" feature. The listview offers a "ref" (references) column which shows you all references to this group. this might help a bit. but contains pages, content elements... and user records in a mix.
Another option is the export a CSV of the website users with the "Groups, column enabled. This should give them all the data to review the group memberships.
If that is not enough, I would create an custom module to create such a view.
Meanwhile, as a workaround, I have used a nonstandard-SQL feature, the group_concat() function, to copy all frontendusernames of each group into the (empty) "description" field of the fe_groups table.
There they form a comma-separated list. A screenshot illustrates what my backend panel now looks like. See first line:
This method is only feasible of you are running a one-off migration, or if you can practice on a staging server first. You need to have absolute control over the TYPO3 database, and your bosses and editors shouldn't mind and like the final result. Also it overwrites what is in the description column.
Also, frontendusers who are in two or more groups will NOT get added to the csv-lists! Because their usergroupcolumn has values like 262,398 which cannot be INNER JOINed properly with fe_group.uid.
The key benefit of the group_concat() method is that a single SQL UPDATE statement (almost) solves the problem. No custom PHP programming needed.
/* works on mariadb:10.3 */
UPDATE
fe_groups g,
(
SELECT
usergroup,
GROUP_CONCAT(
u.username
ORDER BY
username SEPARATOR ', '
) AS 'usernames'
from
fe_users u
where
usergroup not like '%,%'
group by
usergroup
) AS user_lookup
SET
g.description = user_lookup.usernames
WHERE
user_lookup.usergroup = g.uid
and user_lookup.usergroup not like '%,%';
The code above does not work on mysql 5.7. There I had to try this instead:
/* works on mysql 5-7 */
SET
session group_concat_max_len = 15000;
create temporary table fe_groups_extrainfo
SELECT
usergroup,
GROUP_CONCAT(
u.username
ORDER BY
username SEPARATOR ', '
) AS 'usernames'
from
fe_users u
where
usergroup not like '%,% and uid > 9'
group by
usergroup
limit
0;
insert into
fe_groups_extrainfo
SELECT
usergroup,
GROUP_CONCAT(
u.username
ORDER BY
username SEPARATOR ', '
) AS 'usernames'
from
fe_users u
where
usergroup not like '%,%'
group by
usergroup;
update
fe_groups g
inner join fe_groups_extrainfo x on g.uid = x.usergroup
set
g.description = x.usernames;
Sorry it is not a single SQL Statement as the mariadb-SQL statement but still simpler as programming a custom TYPO3 extension with a complex backend module.
Update 09/2022:
It is essential to update the TYPO3 Reference Index after using this method (direct db-access with SQL-UPDATE statements).
typo3cms referenceindex:update
Otherwise the "Ref" column in the "List" module view would still show a "-" (meaning 0) users belong in this feuser-group. After updating the refindex the "[Ref]" column will then display the approximate count of feusers.
TYPO3 9.5.22
I have a TYPO3 based site with a number of department related subtrees, D1, D2, D3.
Users of department D1 are in backend group D1 and can work in the D1 Subtree via a DB mount.
Users of department D2 are in backend group D2 and can work in the D2 Subtree via a DB mount.
If a user U1D1 (Member of Group D1) creates a page in the D1 subtree, the page group owndership by the "admins" group.
This means that U2D1 can not edit pages of U1D1.
What do I have to do so pages created by U1D1 belong to group D1 instead of admins?
Any help would be greatly appreciated.
Usually, a new page would get the main usergroup of a user (probably "admin" in your case).
You can override that by setting TCEMAIN.permissions.groupid in PageTS on the specific pagetree. https://docs.typo3.org/m/typo3/reference-tsconfig/master/en-us/PageTsconfig/TceMain.html#groupid
Don't hesitate to ask if you are unsure how to add it for a specific page tree.
You can use the TYPO3 mechanism for setting default values for single fields of a record. in this case the records are pages and the default value in question is the group the page should belong to.
In case you have a complex system of user groups where multiple groups should be able to share access to the same pages it's helpful to introduce a helper group which is subgroup of the groups assigned to the users (typical for LDAP connections). in this way you have groups which own the pages, and multiple parent groups which include the owner groups.
As new pages are assigned the primary user group by default, you end up in a chaos which pages can be edited by which user. Especially if admins are involved too. Here it is necessary to assign clearly the owner group to any new pages.
more Info on the settings can be found in this SQ answer:
https://stackoverflow.com/a/60072878/6796354
You can adjust the ownership and access rights on the access-page
I have a TYPO3 v7.6.18 multi-site system with tt_news plugin for news.
Each site has its own news section with different categories like:
I would like to be able to choose from these categories, when creating a news item, but in the Categories&Relations (I have hidden the Relations tab, since I don't use it), I get the whole list of categories from almost all the projects (probably all, there is just a limit on how many it shows):
How can I set it to show only the categories for current page (or least a tree view, where I can see, where the categories belong to), because currently it's impossible to tell, what category belongs to which project (since the names overlap).
You can use TCA overrides to customize the foreign_table_where configuration option of the categories field in the tx_news_domain_model_news table:
$GLOBALS['TCA']['tx_news_domain_model_news']['columns']['categories']['config']['foreign_table_where'] = ' AND sys_category.pid = ###CURRENT_PID###' . $GLOBALS['TCA']['tx_news_domain_model_news']['columns']['categories']['config']['foreign_table_where'];
Notice that you need to prepend your additional constraint because the existing constraint ends with a ORDER BY.
I want to modify the webscript alfresco-remote-api-5.0.d.jar\alfresco\templates\webscripts\org\alfresco\repository\person\people.get.js. I need to display for the connected user only user he has created.
I have modify the filter to include username in query.
filter = filter + " AND cm:creator:admin";
people.getPeoplePaging(filter, paging, sortBy, sortAsc);
This must display only users created by admin.
But it's not working(no user is returned).
How can i select only users created by a certain user ?
By looking at below definition of content model I sure , what you want to achieve is not possible ,as person(user) does not have creator property.Below link shows the content model for users.
https://svn.alfresco.com/repos/alfresco-open-mirror/alfresco/COMMUNITYTAGS/V4.2c/root/projects/repository/config/alfresco/model/contentModel.xml
https://svn.alfresco.com/repos/alfresco-open-mirror/alfresco/COMMUNITYTAGS/V4.2c/root/projects/repository/config/alfresco/model/systemModel.xml
I have created an Organization which has four user groups. I want to restrict the user group to view the file uploaded by the other user group.
i.e
Organization 1
User Group 1
A
B
User Group 2
C
D
User Group 3
E
F
User Group 4
G
H
I am using CustomLanding hook to land on the organization page.
From above, If A uploads a document, it can be viewed only by B in user group 1.
Like the same I want to restrict the viewable condition to other groups also.
Please guide me to achieve this.
Regards,
Dinesh.
you can create different roles for the user and apply permission for role.
Instead of taking as user group with in organization we have teams. you can try with teams.