groupoffice icon indicating copy to clipboard operation
groupoffice copied to clipboard

Published 20 hours ago verified publisher icon Intermesh

Missing module permissions

Open michalcharvat opened this issue 3 years ago • 2 comments

Since 6.5 there are only two levels of permisions in modules. Since 6.6 you have changed edit element from combo to checkbox.

I see major problem in ACL because since 6.5 you have only 2 levels of module permission - Use and Manage. However modules without AclOwnerEntity cannot be basically managed. Is possible to restore old permissions model where you can easily manage permisions on module layer too?

michalcharvat avatar Jan 25 '22 18:01 michalcharvat

I'm afraid it's not possible. We needed more flexibility in the module permissions. For example the core module now has rights for: manage users, groups and custom fields separately. This was impossible with ACL.

We had a similar problem with the studio modules without acl. the file folders used to copy acl's from the module. We fixed that now by creating an ACL in the studio module's record. We keep the permissions in sync with the module permissions.

mschering avatar Mar 21 '22 13:03 mschering

Yeah I just went trough what you did and you are trying add something like Access Control Object (ACO) to GO. The ACO is basically an actions that are requested to be performed. The only problem I see, it is mixed together with existing line RO to MANAGE which should be also under rights / ACO. Together with Access Request Object (ARO) you get ACL. ARO is an entity that is requesting an action to be performed (in GO case Groups and Users). Current issue is, you are unable to define ACO on User entity. When you offer all options, you are back in 2004 :)

image

Btw PHP GACL was nice, fast and flexible enough. The only problem was UI where you had to define all rules. So in 2010 I have made ExtJS UI (in system without AJAX :-)) to make life easier to the operators who managed the user permissions.

I liked GO for simplicity. 10-50 was not only the best but still enough simple to explain it to anyone.

So upgrade to 6.6 will be more complicated than it looked. Next to the type hints, you have to replace ACL. In latest 6.5 it was still possible enable all the permission levels via override.

To cover CREATE, EDIT, EDIT AND DELETE option on the module layer you have to define new rights. Right? Of course I am talking about modules where everyone can see everything or where you have define visibility filter to display records to creator or manager. However if I am not wrong - with missing ACO for User entity (I didn't find any option how to define that rule) you have to define 3 new groups - Module Create, Module Edit and Module EditDelete to cover all existing options. After that you can finally assign users to groups to provide them permissions work with records as in 6.5. Do you see this complexity? Am I missing something?

Summarise 6.6 status

  • module permission levels - USE (10), MANAGE (50) to User (U) and G (Group)

  • new module rights - to G

  • category levels - same as in 6.5 - ie 10 - 50 to U and G

  • record ACLs - per record or via ACLItemEntity from parent - again 10 - 50 to U and G

michalcharvat avatar Mar 21 '22 22:03 michalcharvat

See \go\core\model\Module::getShadowAclId() for a workaround now.

mschering avatar Jun 17 '24 11:06 mschering