[MAGNOLIA-6340] Publishers should only see publish tasks of nodes they have accesss to Created: 14/Aug/15  Updated: 17/Aug/15  Resolved: 14/Aug/15

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: 5.3.9
Fix Version/s: None

Type: Improvement Priority: Neutral
Reporter: Adi De Masi Assignee: Unassigned
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:

 Description   

Given
Editor Edith is responsible for /home/section1
Publisher Paul is responsible for /home/section1,
Publisher Petra is responsible for /home/section2

All three uses have only write access to their sections (and subpages)

Editor Edith now edits a page under /home/section1 and starts a publish request.

Both Paul and Petra now receives the task. Petra can even publish it, although she has no write-access to node.

Its desired that Petra only sees the tasks of the nodes she is responsible for. Maybe implement a check on the published path and only pick the users that have write-access to this node.



 Comments   
Comment by Jan Haderka [ 14/Aug/15 ]

You should have two groups of publishers, section1-publisher and section2-publisher, each of them has respective roles giving them read access to given subpath. The in your workflow, you should route publishing requests from /section1 path to section1-publisher group and same for /section2.

That way you would clearly see in your workflow definition who is assigned to do what, can easily control the flow or change it should you need to and there is no magic necessary to guess which publisher is the most appropriate one.

Comment by Jan Haderka [ 14/Aug/15 ]

If the above comment is not enough, please know that mapping of paths and invoking of different workflows for different path is also supported. If you need help to set it up, please ask in forum or over support.

Similar (if not same) case is also discussed at https://forums.magnolia-cms.com/forum/thread.html?threadId=d5804078-3baf-4088-aae6-e43940a4b7ce&page=1

Comment by Adi De Masi [ 14/Aug/15 ]

Thanks jan for the response,

After some digging, I found the PublicationTaskParameterResolver, where the groups that should receive the task are assigned by the definition. In the default case, this is just the group "publishers".

It would be possible to extend this resolver and override the assignment of groups. One could define a mapping between node paths and groups (I guess that is what you mean by "route publishing requests"?). But this would require to duplicate all the permissions from the security app for these groups. Because this is not really convenient, I try now to fetch the groups that have access to the given path, which is also not so easy to do, but should be possible.

Another approach would be to remove unwanted tasks in the TasksManager for a user, which seems to be easier and cleaner at first glance.

Comment by Jan Haderka [ 17/Aug/15 ]

At the risk of sounding rude, please take the discussion to forum, you will have much bigger audience there.

BTW I don't see why would you need to duplicate all permissions. Permissions are assigned in roles, here we are talking about groups. If there are permissions (thus role(s)) that need to be assigned to all groups of permissions, you can just assign that role(s). Or you can have one generic "publishers" group and assign that to all sectionX-publishers groups that you will user for routing workflow.

Generated at Mon Feb 12 04:13:35 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.