Blog Security (Role that can edit Content) Problem

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
12/16/2011 4:19:33 AM
Diego Mora
Gravatar
Total Posts 149
View Posts
Partner
mojoPortal Skinning, Custom Development and Support in Italy?
EffectiveWeb.it

Blog Security (Role that can edit Content) Problem

Hi Joe,

After upgrading to 2.3.7.5 a user can't add/edit posts in a blog.

The user is member of 2 roles (i.e. "Section A Editors" & "Section B Editors")

Page "Section A" contains a Blog instance with "Section A Editors" set as Role that can edit Content

Page "Section B" contains a Blog instance with "Section B Editors" set as Role that can edit Content

User can edit Section A - Blog but cannot edit Section B - Blog

The two container pages have same settings

The two blog instances have same settings

Any clue ?

 

Thanks

Diego

12/19/2011 9:51:18 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Blog Security (Role that can edit Content) Problem

Hi Diego,

Is the user in both roles?

I would look in the settings for the blogs under the security tab and make sure it doesn't have "Administrators" as the only role checked for edit permissions. If it is checked I would uncheck it and save since admins don't need permission. The purpose of listing Administrators there is only for the case where one wants to limit editing to only Administrators. ie normally Content Administrators can edit anything and don't need permission, but it is possible to make content only editable by administrators if you set Administrators as the only edit role on the page and on the feature settings. However it is possible that older content may have been flagged with administrators role in the instance settings by default and that could cause the problem. So unchecking Administrators in the blog settings security tab should solve it if it is checked.

Hope that helps and sorry for the delayed response, it really just occurred to me what might cause this.

Best,

Joe

12/19/2011 12:16:44 PM
Diego Mora
Gravatar
Total Posts 149
View Posts
Partner
mojoPortal Skinning, Custom Development and Support in Italy?
EffectiveWeb.it

Re: Blog Security (Role that can edit Content) Problem

Hi Joe,

The user was set correctly and was member of the role authorized to update the Blog instance content.

Following your suggestion, I got to thinking about the recent security update and I made a further check on the page settings and discovered that the security for the page containing the malfunctioning Blog instance was different. In fact, comparing it to the one that was working, there was a missing flag for "Content Publishers".

Now, the user in question was a member of neither Administrators nor Content Publishers but somehow the fact that only one role (Administrators) was authorized to change the page content was overriding the instance security settings.

By selecting the Flag for Content Publishers, the Blog instance security was re-set and now works as it used to before the last update.

Hope this helps to better understand the situation.

Regards.

Diego

12/19/2011 1:35:00 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Blog Security (Role that can edit Content) Problem

Hi Diego,

That does explain it. By design if Administrators role is checked and no other roles then only Administrators can edit the page, not even Content Administrators can edit the page in that case, so that is working as intended. If no roles are checked then by default Administrators and Content Administrators can still  edit. So this is a feature that enables you to lock out Content Administrators from editing a page. However to really protect it the feature instances should also be marked as Administrators only, otherwise Content Administrators can still get to the content from Content Manager where there is no page context to enforce page roles.

We fixed a few bugs related to enforcing this Administrators only configfuration in the 2.3.7.5 release so that is why it changed from before, we were not enforcing it correctly before.

Best,

Joe

12/21/2011 10:18:43 AM
Joe Davis
Gravatar
Total Posts 2239
View Posts

Re: Blog Security (Role that can edit Content) Problem

Hi Joe,

A side effect of these changes is that we can no longer allow a role to edit a single instance on a page without allowing them to also add new content to the page. For instance, I have a site where I allow customers to upload project files to an instance of the Shared Files feature (each customer has their own). I don't want them to be able to add new feature on the page so I don't give them permission to edit the page. With these changes, I have to give them permission to edit the page just so they can edit the single feature I want them to be able to edit.

If we think about file permissions on a network, we can provide a user edit/write permissions to a single file (module) but not allow them to create new files (modules) in the folder (page).

Am I missing something that will allow me to grant users edit rights to a single module without first granting them edit rights to a page?

Thanks,
Joe D.

12/21/2011 10:21:52 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Blog Security (Role that can edit Content) Problem

Hi Joe,

Are you sure you don't have Administrators role checked in page edit settings or in module edit settings? If so uncheck them.

Best,

Joe

12/21/2011 10:29:13 AM
Joe Davis
Gravatar
Total Posts 2239
View Posts

Re: Blog Security (Role that can edit Content) Problem

Hi Joe,

Okay, forgive me for being so daft. I didn't catch that when I read the post. I removed the "Administrators" role from the edit perms on the page and it is working properly now.

Thanks,
Joe D.

12/21/2011 10:41:45 AM
Jamie E
Gravatar
Total Posts 1203
View Posts
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: Blog Security (Role that can edit Content) Problem

Hey guys, I have to agree that although this "subtractive" use of the Administrators role is a well established part of mojoPortal security, it is pretty confusing since it works very differently than any other role. If possible, my suggestion would be to make the Administrators role appear as something like "Administrators Only" for these situations, so it's obvious that selecting that role will have some significant side effects.

Jamie

12/21/2011 10:52:47 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Blog Security (Role that can edit Content) Problem

Hi Jamie,

I see your point but I'm not sure I want to go and code in replacement text for the Administrator role everywhere.

If it is confusing your users one solution is to go to Role Administration and rename the Administrators role to Administrators Only. This doesn't really change the role name but only the display name. I could make it use that for the display name on new installations but if I were to update the db on existing installations it would affect people who may have localized the display name already for non English.

Best,

Joe

12/21/2011 11:04:30 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Blog Security (Role that can edit Content) Problem

Actually it is only 2 places, Page Settings and Module Settings so maybe coding in replacement text from a resource file there would be the best solution. Renaming the display name would make it weird when you wanted to add a user to the "Administrators Only" role.

Best,

Joe

12/21/2011 11:16:27 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Blog Security (Role that can edit Content) Problem

But I wonder if that would still be just as confusing because if it says "Administrators Only" then people may think checking it trumps other checkboxes which it doesn't. It is only locked down to Administrators when that is the only role checked. I'm not sure of a good way to make it obvious, it is a special case locking down content to only Administrators.

12/21/2011 11:43:22 AM
Jamie E
Gravatar
Total Posts 1203
View Posts
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: Blog Security (Role that can edit Content) Problem

Well, if you're open to a philosophical change, I think the other way it could be handled is to actually change it to work in an additive way, using visual cues. I'm thinking that in page and module settings, it could show the Administrators role as always checked and grayed out (indicating that admins always have access), and content administrators as always checked by default but not grayed out (so the user can just uncheck content administrators to prevent them having access at that level).

If it were implemented this way then gurus would need to unlearn the old way of doing it, but I think it would be a lot more obvious what was going on for less experienced admins, and the checkboxes would really work the same for all of the roles.

Jamie

12/21/2011 11:55:48 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Blog Security (Role that can edit Content) Problem

No, I'm not open to that. It is too big a change and too much chance to introduce new bugs. If the user is admin we don't have to check object level permissions and it should never be possible to lock out admins from anything greyed out or not.

What I could do is add a config setting that allows you to not even show the administrators checkbox so that if you are not using the feature to lock out content administrators anywhere you can avoid the confusion. But I would have to keep the default as showing it since people may already have it checked.

Best,

Joe

12/21/2011 12:23:02 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Blog Security (Role that can edit Content) Problem

I think what I will do is show explicit instructions that explain it clearly without having to click the help link.

Best,

Joe

12/21/2011 12:39:40 PM
Jamie E
Gravatar
Total Posts 1203
View Posts
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: Blog Security (Role that can edit Content) Problem

Thanks Joe, I thought it might have been a stretch to fundamentally change it like that. Your idea sounds like a good one.

Jamie

You must sign in to post in the forums. This thread is closed to new posts.