Permission and Search

berniet

Joined: 2009-08-24
Posts: 4

Posted: Wed, 2009-08-26 20:51

Hi,

Today I was testing effect of permission on search.
I think that there's a mistake in the search Module (search.php).

This piece of code seems to be used to filter the search result in accordance with the view rights:
if (!user::active()->admin) {
foreach (user::group_ids() as $id) {
$fields[] = "`view_$id` = TRUE"; // access::ALLOW
}
$access_sql = "AND (" . join(" AND ", $fields) . ")";
} else {
$access_sql = "";
}

Problem is that all users are member of groups Everybody and Registered Users, but the value TRUE is never affected to columns view_1 and view_2 when content is uploaded.

Quick solution can be to replace the AND by an OR in the search query:
if (!user::active()->admin) {
foreach (user::group_ids() as $id) {
$fields[] = "`view_$id` = TRUE"; // access::ALLOW
}
$access_sql = "AND (" . join(" OR ", $fields) . ")";
} else {
$access_sql = "";
}

But in my mind, I might be wrong, the idea of altering the SQL schema when a new group is created (or deleted) by creating or dropping a column "view_$groupid" is not very "nice" (what if more than 4067 groups are created, 4096 being the max # of columns in Mysql5 and 29 columns being the # of columns other than View_xxx).

Globally, I'd say that Gallery3 is a very nice solution. But I have concerns about the Permission system that looks too light compare to Role based User-Group Right management.

Hope that part of the project will be improved.

Cheers,
Bernie

floridave

Joined: 2003-12-22
Posts: 22888

Posted: Thu, 2009-08-27 17:07

Having 4K groups is not in the scope of G3. If you are a host and want to install G3 for each user that would be a solution.
Having lots of users and placing those users in the group is the best way to go.

Dave

_____________________________________________
Blog & G2 || floridave - Gallery Team

berniet

Joined: 2009-08-24
Posts: 4

Posted: Thu, 2009-08-27 18:14

Hi Dave,

I'm not a host, and won't reach 4K groups.
But if I was, and if I had to provide a public solution for Gallery management, with the ability for each subscribed user to have private album, as rights are based on Group (which I fully support), I bet that the 4K groups will be quickly reached.

I was just raising the point because, I've seen a few things linked to Permission that looks strange to me, ie:
1- If you gives only the Add right to someone, he/she can create Albums and/or Photos, but he/she can't modify or delete any while he/she's the owner.
2- If you then give the edit permission, to allow modification and/or deletion of content, then you gives also the right to modify the permissions rules on the complete mediabank.
3- ...

Just few reasons that I think, but again, I might be wrong, can justify a more solid permission model.

Cheers,
Bernie

nivekiam

Joined: 2002-12-10
Posts: 16503

Posted: Fri, 2009-08-28 20:42

Quote:

1- If you gives only the Add right to someone, he/she can create Albums and/or Photos, but he/she can't modify or delete any while he/she's the owner.

That's related to this bug:
https://sourceforge.net/apps/trac/gallery/ticket/452

Quote:

2- If you then give the edit permission, to allow modification and/or deletion of content, then you gives also the right to modify the permissions rules on the complete mediabank.

Don't know what "mediabank" is. If you mean album, that's the only way to do it in G3 because permissions are only applied to the album, not the photo.

____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

floridave

Joined: 2003-12-22
Posts: 22888

Posted: Sat, 2009-10-24 23:16

berniet,
there was a ticket created for search and is now fixed:
http://sourceforge.net/apps/trac/gallery/ticket/805

Dave

_____________________________________________
Blog & G2 || floridave - Gallery Team

berniet Joined: 2009-08-24 Posts: 4	Posted: Wed, 2009-08-26 20:51
	Hi, Today I was testing effect of permission on search. I think that there's a mistake in the search Module (search.php). This piece of code seems to be used to filter the search result in accordance with the view rights: if (!user::active()->admin) { foreach (user::group_ids() as $id) { $fields[] = "`view_$id` = TRUE"; // access::ALLOW } $access_sql = "AND (" . join(" AND ", $fields) . ")"; } else { $access_sql = ""; } Problem is that all users are member of groups Everybody and Registered Users, but the value TRUE is never affected to columns view_1 and view_2 when content is uploaded. Quick solution can be to replace the AND by an OR in the search query: if (!user::active()->admin) { foreach (user::group_ids() as $id) { $fields[] = "`view_$id` = TRUE"; // access::ALLOW } $access_sql = "AND (" . join(" OR ", $fields) . ")"; } else { $access_sql = ""; } But in my mind, I might be wrong, the idea of altering the SQL schema when a new group is created (or deleted) by creating or dropping a column "view_$groupid" is not very "nice" (what if more than 4067 groups are created, 4096 being the max # of columns in Mysql5 and 29 columns being the # of columns other than View_xxx). Globally, I'd say that Gallery3 is a very nice solution. But I have concerns about the Permission system that looks too light compare to Role based User-Group Right management. Hope that part of the project will be improved. Cheers, Bernie
	XUser login Username: * Password: * Create new account Request new password
floridave Joined: 2003-12-22 Posts: 22888	Posted: Thu, 2009-08-27 17:07
	Having 4K groups is not in the scope of G3. If you are a host and want to install G3 for each user that would be a solution. Having lots of users and placing those users in the group is the best way to go. Dave _____________________________________________ Blog & G2 \|\| floridave - Gallery Team

berniet Joined: 2009-08-24 Posts: 4	Posted: Thu, 2009-08-27 18:14
	Hi Dave, I'm not a host, and won't reach 4K groups. But if I was, and if I had to provide a public solution for Gallery management, with the ability for each subscribed user to have private album, as rights are based on Group (which I fully support), I bet that the 4K groups will be quickly reached. I was just raising the point because, I've seen a few things linked to Permission that looks strange to me, ie: 1- If you gives only the Add right to someone, he/she can create Albums and/or Photos, but he/she can't modify or delete any while he/she's the owner. 2- If you then give the edit permission, to allow modification and/or deletion of content, then you gives also the right to modify the permissions rules on the complete mediabank. 3- ... Just few reasons that I think, but again, I might be wrong, can justify a more solid permission model. Cheers, Bernie

nivekiam Joined: 2002-12-10 Posts: 16503	Posted: Fri, 2009-08-28 20:42
	Quote: 1- If you gives only the Add right to someone, he/she can create Albums and/or Photos, but he/she can't modify or delete any while he/she's the owner. That's related to this bug: https://sourceforge.net/apps/trac/gallery/ticket/452 Quote: 2- If you then give the edit permission, to allow modification and/or deletion of content, then you gives also the right to modify the permissions rules on the complete mediabank. Don't know what "mediabank" is. If you mean album, that's the only way to do it in G3 because permissions are only applied to the album, not the photo. ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

floridave Joined: 2003-12-22 Posts: 22888	Posted: Sat, 2009-10-24 23:16
	berniet, there was a ticket created for search and is now fixed: http://sourceforge.net/apps/trac/gallery/ticket/805 Dave _____________________________________________ Blog & G2 \|\| floridave - Gallery Team

Permission and Search

XUser login