Blog - permissions to create post

If you have questions about using mojoPortal, you can post them here.

You may want to first review our site administration documentation to see if your question is answered there.

This thread is closed to new posts. You must sign in to post in the forums.
1/11/2012 3:49:23 PM
Gravatar
Total Posts 18439

Re: Blog - permissions to create post

Actually the demo site is running a newer build, the permissions were moved out of site settings after the 2.3.7.6 release to solve this error caused by too many form elements that was a result of a recent ASP.NET security update.

There will be abother new release coming soon with that fix but it mainly affects sites with lots of roles because that creates more checkboxes and results in too many form elements.

1/11/2012 4:18:21 PM
Gravatar
Total Posts 537
feet planted firmly on the ground

Re: Blog - permissions to create post

OK I see; a minor comment on that - it was nice having the role permissions in the accordion (fewer clicks).

I have upgraded my site to 2.3.7.6 with no change to my problem. 

Nothing in system log. Will keep investigating when I have time - I need to solve this.

 

1/11/2012 4:29:07 PM
Gravatar
Total Posts 537
feet planted firmly on the ground

Re: Blog - permissions to create post

OK I binned the bad role and created a new one, added the users and gave it some permission (file upload and delete), then specific edit permissions on my feature instances.  A user in this role still cannot edit those features unless given edit rights on the page.

 

1/12/2012 2:16:15 AM
Gravatar
Total Posts 537
feet planted firmly on the ground

Re: Blog - permissions to create post

Hi Joe

I've cracked it.  The problem is caused by giving (only) the Administrator role edit permission on the page. Once you do this, then all the symptoms above emerge. Users in any other roles cannot edit features on the page even if they are given explicit permissions to do so. If you give their role edit permissions on the page, they can then edit the features.

Is it a bug? Probably not, because I've now read in detail the paragraph in the page editing section...

Administrators and Content Administrators can view or edit any content. Therefore Content Administrators role is not shown, and there is no need to ever check the Administrators role except for the special case where you would like to lock out Content Administrators so that only Administrators can view or edit the content. In that case you can check only the Administrators role and no other roles and Content Administrators will not be allowed. However to protect content instance(s) on the page you should set Administrators as the only role in the Feature Instance Settings as well, otherwise Content Administrators can still get to it from the Content Manager page

So it seems we had accidentally put the page into "protected" mode.

But although we had dug our own grave here, I do think this is quite confusing (borne out by the fact that even you couldn't think of any way of achieving the symptoms I was seeing ;-)

I wonder if instead of including the Administrators role in the normal checkbox list (which is pointless except for the above special case), there could be a separate controller for "Allow only Administrators to edit this page and its features" [chk] (with help text that this overrides explicit permissions on the features, except for Content Admin who can get at them...etc).

Or just "Protected page?" [chk]   (yada yada help text)

I feel this would be much easier to understand for bears of little brain like me.

 

 

 

1/12/2012 10:03:16 AM
Gravatar
Total Posts 1203
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: Blog - permissions to create post

Hi Crispin. Joe and I had a discussion about this recently in this thread. Hopefully when the new text is added to the security pages, it will be more clear that the Administrators role operates in a different way than all the others.

Jamie

1/12/2012 5:01:12 PM
Gravatar
Total Posts 537
feet planted firmly on the ground

Re: Blog - permissions to create post

Hi Jamie - I've bounced this around a few colleagues today (asp.net geeks and web devs) and we all agreed this should become a separate control to put a page into a special state of admin only / protected (etc), rather than including the admin role as a check box with special meaning.

So I think on reflection I'd still support my request for making this a separate override control as suggested in previous post.

I hope you can at least give this some thought, because this issue has clearly caused much confusion and wasted time for us and many others (admittedly because we were incapable of reading and understanding the help!).

 

1/12/2012 6:24:52 PM
Gravatar
Total Posts 1203
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: Blog - permissions to create post

Hi Crispin, my personal preference would also be to change the way it works since it is probably the least intuitive area of mojoPortal. Just to correct something you said, checking the Administrators box doesn't really "lock the page down" to Administrators only, because you can still check the box for other user roles to allow them rights in addition to Administrators. It really just locks out Content Administrators from editing. But I do like the idea of making a separate check box that says something like "Deny Content Administrators from editing this [page|feature]". That way, Administrator and Content Administrator could be left out of the edit roles completely to avoid confusion; the roles would all become additive, as they are expected to be; and it will be blatantly obvious if Content Administrators are set to "denied" status and security inheritance is interrupted.

An upgrade script to populate this box should be pretty straightforward: It would mark the box for all pages and features that have Administrators marked in the Edit roles.

I do like this idea, for what it's worth. Let's see what Joe thinks.

Jamie

1/13/2012 7:14:14 AM
Gravatar
Total Posts 18439

Re: Blog - permissions to create post

Hi Guys,

Ok, you've pursuaded me that it is a usability issue that needs to be addressed in the UI. My resistance was mainly based on I do not want to change the way security is enforced and I do not want to update role permissions in the database during upgrades, but after thinking about it I beleive I can achieve the needed changes in the UI without doing either of those things.

Just to correct something you said, checking the Administrators box doesn't really "lock the page down" to Administrators only, because you can still check the box for other user roles to allow them rights in addition to Administrators. It really just locks out Content Administrators from editing.

Acutally that is not quite right, but it only makes it more clear that it is not easy to understand and needs improvement for usability.

The way it works is if a page or feature instance permission is set to Administrators and no other roles then only administrators have access. Yes it locks out Content Administrators but it locks out everyone else too.

If no roles are checked then Administrators and Content Administrators have access.

If any roles other than Administrators are checked (even if Administrators is also checked) then, access is available to Administrators, Content Administrators, and the other selected roles.

Basically Administrators and Content Administrators are not subject to role permissions, but the special case is designed in order to make it possible to have some content that is only available to Administrators. So in that case Content Administrators are subject to that special case rule where if Administrators is the one and only allowed role then only Administrators get access.

So I think from the UI we will need 2 radio buttons above the roles checkboxes and I will remove Administrators from the checkbox list. The radio buttons will be like:

1. Only Administrators are allowed

2. Administrators, Content Administrators, and roles selected below are allowed.

If the first radio button is chosen then I will set the role to Administrators only on postback, else it will be based on the checkbox list.

Best,

Joe

1/14/2012 12:22:32 PM
Gravatar
Total Posts 537
feet planted firmly on the ground

Re: Blog - permissions to create post

Hi Joe

I think this is a decent solution, and thanks for reconsidering this. A little js to enable / disable the roles checkboxes when your new rbl is clicked might be nice too.

Also, when you are looking at the page itself (not its settings), some visible indication that it is in the protected state would be very useful. So if this setting has been invoked for Viewing, and you are logged in as Administrator, it could discretely display "This page can only be viewed by Administrators" (or whatever the admins role has been called). And if the setting has been invoked for editing, and you are logged in as Administrator, it could display "This page can only be edited by Administrators" (other roles would not see this msg).  I don't think a msg would be helpful for the child pages protection.

These could perhaps be displayed on the admin bar?

1/17/2012 12:48:12 PM
Gravatar
Total Posts 1203
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: Blog - permissions to create post

That's great news Joe, thanks a lot for doing this. We don't need to use the "restrict to Administrators" functionality, but for those who do, this will help out tremendously.

Just to follow this all the way through, can you also remove Content Administrators from the roles check box list? As I understand it from your correction, by definition Content Administrators will always be able to edit, except when the page is locked down to Administrators only (now via radio button). So there should never be a need to check that box either, correct?

Jamie

1/22/2012 11:27:03 AM
Gravatar
Total Posts 18439

Re: Blog - permissions to create post

These changes are now live on the demo site if you check the page settings and feature instance settings.

Best,

Joe

You must sign in to post in the forums. This thread is closed to new posts.