[MAGNOLIA-6340] Publishers should only see publish tasks of nodes they have accesss to Created: 14/Aug/15 Updated: 17/Aug/15 Resolved: 14/Aug/15 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | None |
| Affects Version/s: | 5.3.9 |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Neutral |
| Reporter: | Adi De Masi | Assignee: | Unassigned |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Template: |
|
| Acceptance criteria: |
Empty
|
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
| Date of First Response: |
| Description |
|
Given All three uses have only write access to their sections (and subpages) Editor Edith now edits a page under /home/section1 and starts a publish request. Both Paul and Petra now receives the task. Petra can even publish it, although she has no write-access to node. Its desired that Petra only sees the tasks of the nodes she is responsible for. Maybe implement a check on the published path and only pick the users that have write-access to this node. |
| Comments |
| Comment by Jan Haderka [ 14/Aug/15 ] |
|
You should have two groups of publishers, section1-publisher and section2-publisher, each of them has respective roles giving them read access to given subpath. The in your workflow, you should route publishing requests from /section1 path to section1-publisher group and same for /section2. That way you would clearly see in your workflow definition who is assigned to do what, can easily control the flow or change it should you need to and there is no magic necessary to guess which publisher is the most appropriate one. |
| Comment by Jan Haderka [ 14/Aug/15 ] |
|
If the above comment is not enough, please know that mapping of paths and invoking of different workflows for different path is also supported. If you need help to set it up, please ask in forum or over support. Similar (if not same) case is also discussed at https://forums.magnolia-cms.com/forum/thread.html?threadId=d5804078-3baf-4088-aae6-e43940a4b7ce&page=1 |
| Comment by Adi De Masi [ 14/Aug/15 ] |
|
Thanks jan for the response, After some digging, I found the PublicationTaskParameterResolver, where the groups that should receive the task are assigned by the definition. In the default case, this is just the group "publishers". It would be possible to extend this resolver and override the assignment of groups. One could define a mapping between node paths and groups (I guess that is what you mean by "route publishing requests"?). But this would require to duplicate all the permissions from the security app for these groups. Because this is not really convenient, I try now to fetch the groups that have access to the given path, which is also not so easy to do, but should be possible. Another approach would be to remove unwanted tasks in the TasksManager for a user, which seems to be easier and cleaner at first glance. |
| Comment by Jan Haderka [ 17/Aug/15 ] |
|
At the risk of sounding rude, please take the discussion to forum, you will have much bigger audience there. BTW I don't see why would you need to duplicate all permissions. Permissions are assigned in roles, here we are talking about groups. If there are permissions (thus role(s)) that need to be assigned to all groups of permissions, you can just assign that role(s). Or you can have one generic "publishers" group and assign that to all sectionX-publishers groups that you will user for routing workflow. |