Loading...
 

Tikiwiki-devel (mailman list mirror)


Permission question

posts: 126

Hello Devs,

Me again, lost in permissions

I was developing a new function for the tracker plugin, similar to the “user” field, but that have an additional filter field in case there is multiple items for the same user in the tracker. Here is the code in wikplugin_tracker.php:

elseif (!empty($view) && $view == ‘userandfield’ && $userfieldtofilter && $fieldtofilter && $fieldtofiltervalue) {
$trackerinfo = Tracker_Query::tracker($trackerId)
->filter‘field’=>$userfieldtofilter, ‘value’=>$user
->filter‘field’=>$fieldtofilter, ‘value’=>$fieldtofiltervalue
->status(strlen($status) >= 1 ? $status : ‘opc’)

->lastModif($fieldtofiltercriteria == ‘lastModifAsc’
$fieldtofiltercriteria == ‘lastModifDesc’ ? true : false)//Not Working
->created($fieldtofiltercriteria == ‘creationAsc’
$fieldtofiltercriteria == ‘creationDesc’ ? true : false)

->desc($fieldtofiltercriteria == ‘creationDesc’ || $fieldtofiltercriteria == ‘creationDesc’ ? true : false)
->query();
$itemIds = array_keys($trackerinfo);
$itemId = $itemIds0;
$usertracker = true;
}

I did this some time ago, and thought it was working ok, but further testing, I realised it only works with admin group. Even if I turn on all tracker permissions for users, it doesn’t work.

Is there any other hidden permission I should enable to use the Tracker_Query for non admin users?

Thank you all!

Fernando
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world’s most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
TikiWiki-devel mailing list
TikiWiki-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

posts: 126

Found were the issue is (I think)

On Query.php

/**
* permission check on view
*
* @access public
* @return bool view
*/
public function canView()
{
if ($this->permissionsChecks == false) return true;

return Perms::get‘type’ => ‘tracker’, ‘object’ => $this->trackerId()->view;
}

Even if I enable all tracker view perms (global, category and object) it doesn’t work.

If I edit it and return true it works.



> On 14 Nov 2017, at 17:13, Fernando Vergos Torres <fernandovergostorres@gmail.com> wrote:
>
> Hello Devs,
>
> Me again, lost in permissions
>
> I was developing a new function for the tracker plugin, similar to the “user” field, but that have an additional filter field in case there is multiple items for the same user in the tracker. Here is the code in wikplugin_tracker.php:
>
> elseif (!empty($view) && $view == ‘userandfield’ && $userfieldtofilter && $fieldtofilter && $fieldtofiltervalue) {
> $trackerinfo = Tracker_Query::tracker($trackerId)
> ->filter‘field’=>$userfieldtofilter, ‘value’=>$user
> ->filter‘field’=>$fieldtofilter, ‘value’=>$fieldtofiltervalue
> ->status(strlen($status) >= 1 ? $status : ‘opc’)

> ->lastModif($fieldtofiltercriteria == ‘lastModifAsc’
$fieldtofiltercriteria == ‘lastModifDesc’ ? true : false)//Not Working
> ->created($fieldtofiltercriteria == ‘creationAsc’
$fieldtofiltercriteria == ‘creationDesc’ ? true : false)

> ->desc($fieldtofiltercriteria == ‘creationDesc’ || $fieldtofiltercriteria == ‘creationDesc’ ? true : false)
> ->query();
> $itemIds = array_keys($trackerinfo);
> $itemId = $itemIds0;
> $usertracker = true;
> }
>
> I did this some time ago, and thought it was working ok, but further testing, I realised it only works with admin group. Even if I turn on all tracker permissions for users, it doesn’t work.
>
> Is there any other hidden permission I should enable to use the Tracker_Query for non admin users?
>
> Thank you all!
>
> Fernando


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world’s most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
TikiWiki-devel mailing list
TikiWiki-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

Hi Fernando,

The permission to view tracker items is called ‘view_trackers’, not just
view. Similar change is needed in canEdit and canDelete methods:
relevant permissions to check there are modify_tracker_items and
remove_tracker_items. I am not sure why it uses just ‘view’, ‘edit’ and
‘delete’ permissions but these do not seem to exist on the tracker
object. ‘view’ and ‘edit’ permissions exist on a page object but
‘delete’ is called ‘remove’. So, this seems like an old code that has
not been updated when permissions were updated or something like that.

Regards,
Victor


On 11/14/2017 09:32 PM, Fernando Vergos Torres wrote:
> Found were the issue is (I think)
>
> On Query.php
>
> /**
> * permission check on view
> *
> * @access public
> * @return bool view
> */
> public function canView()
> {
> if ($this->permissionsChecks == false) return true;
>
> return Perms::get‘type’ => ‘tracker’, ‘object’ => $this->trackerId()->view;
> }
>
> Even if I enable all tracker view perms (global, category and object) it doesn’t work.
>
> If I edit it and return true it works.
>
>
>
>> On 14 Nov 2017, at 17:13, Fernando Vergos Torres <fernandovergostorres@gmail.com> wrote:
>>
>> Hello Devs,
>>
>> Me again, lost in permissions
>>
>> I was developing a new function for the tracker plugin, similar to the “user” field, but that have an additional filter field in case there is multiple items for the same user in the tracker. Here is the code in wikplugin_tracker.php:
>>
>> elseif (!empty($view) && $view == ‘userandfield’ && $userfieldtofilter && $fieldtofilter && $fieldtofiltervalue) {
>> $trackerinfo = Tracker_Query::tracker($trackerId)
>> ->filter‘field’=>$userfieldtofilter, ‘value’=>$user
>> ->filter‘field’=>$fieldtofilter, ‘value’=>$fieldtofiltervalue
>> ->status(strlen($status) >= 1 ? $status : ‘opc’)

>> ->lastModif($fieldtofiltercriteria == ‘lastModifAsc’
$fieldtofiltercriteria == ‘lastModifDesc’ ? true : false)//Not Working
>> ->created($fieldtofiltercriteria == ‘creationAsc’
$fieldtofiltercriteria == ‘creationDesc’ ? true : false)

>> ->desc($fieldtofiltercriteria == ‘creationDesc’ || $fieldtofiltercriteria == ‘creationDesc’ ? true : false)
>> ->query();
>> $itemIds = array_keys($trackerinfo);
>> $itemId = $itemIds0;
>> $usertracker = true;
>> }
>>
>> I did this some time ago, and thought it was working ok, but further testing, I realised it only works with admin group. Even if I turn on all tracker permissions for users, it doesn’t work.
>>
>> Is there any other hidden permission I should enable to use the Tracker_Query for non admin users?
>>
>> Thank you all!
>>
>> Fernando
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world’s most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> TikiWiki-devel mailing list
> TikiWiki-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world’s most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
TikiWiki-devel mailing list
TikiWiki-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

posts: 3183 United Kingdom

Hi Fernando

I agree with Victor, lib/core/Tracker/Query.php, along with lib/core/Report was a pre-unified search experiment that i never really understood and i’m not sure was ever usable. I think we should plan to remove it - unless anyone else knows better?

Better to use \Tracker_Item and \Tracker_Definition i think, both of which have methods for editing and adding tracker items, e.g. \Tracker_Definition::canInsert

jb





> On 15 Nov 2017, at 07:37, Victor Emanouilov <tiki@emicris.com> wrote:
>
> Hi Fernando,
>
> The permission to view tracker items is called ‘view_trackers’, not just view. Similar change is needed in canEdit and canDelete methods: relevant permissions to check there are modify_tracker_items and remove_tracker_items. I am not sure why it uses just ‘view’, ‘edit’ and ‘delete’ permissions but these do not seem to exist on the tracker object. ‘view’ and ‘edit’ permissions exist on a page object but ‘delete’ is called ‘remove’. So, this seems like an old code that has not been updated when permissions were updated or something like that.
>
> Regards,
> Victor
>
>
> On 11/14/2017 09:32 PM, Fernando Vergos Torres wrote:
>> Found were the issue is (I think)
>>
>> On Query.php
>>
>> /**
>> * permission check on view
>> *
>> * @access public
>> * @return bool view
>> */
>> public function canView()
>> {
>> if ($this->permissionsChecks == false) return true;
>>
>> return Perms::get‘type’ => ‘tracker’, ‘object’ => $this->trackerId()->view;
>> }
>>
>> Even if I enable all tracker view perms (global, category and object) it doesn’t work.
>>
>> If I edit it and return true it works.
>>
>>
>>
>>> On 14 Nov 2017, at 17:13, Fernando Vergos Torres <fernandovergostorres@gmail.com> wrote:
>>>
>>> Hello Devs,
>>>
>>> Me again, lost in permissions
>>>
>>> I was developing a new function for the tracker plugin, similar to the “user” field, but that have an additional filter field in case there is multiple items for the same user in the tracker. Here is the code in wikplugin_tracker.php:
>>>
>>> elseif (!empty($view) && $view == ‘userandfield’ && $userfieldtofilter && $fieldtofilter && $fieldtofiltervalue) {
>>> $trackerinfo = Tracker_Query::tracker($trackerId)
>>> ->filter‘field’=>$userfieldtofilter, ‘value’=>$user
>>> ->filter‘field’=>$fieldtofilter, ‘value’=>$fieldtofiltervalue
>>> ->status(strlen($status) >= 1 ? $status : ‘opc’)

>>> ->lastModif($fieldtofiltercriteria == ‘lastModifAsc’
$fieldtofiltercriteria == ‘lastModifDesc’ ? true : false)//Not Working
>>> ->created($fieldtofiltercriteria == ‘creationAsc’
$fieldtofiltercriteria == ‘creationDesc’ ? true : false)

>>> ->desc($fieldtofiltercriteria == ‘creationDesc’ || $fieldtofiltercriteria == ‘creationDesc’ ? true : false)
>>> ->query();
>>> $itemIds = array_keys($trackerinfo);
>>> $itemId = $itemIds0;
>>> $usertracker = true;
>>> }
>>>
>>> I did this some time ago, and thought it was working ok, but further testing, I realised it only works with admin group. Even if I turn on all tracker permissions for users, it doesn’t work.
>>>
>>> Is there any other hidden permission I should enable to use the Tracker_Query for non admin users?
>>>
>>> Thank you all!
>>>
>>> Fernando
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world’s most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> ___
>> TikiWiki-devel mailing list
>> TikiWiki-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world’s most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> TikiWiki-devel mailing list
> TikiWiki-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world’s most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
TikiWiki-devel mailing list
TikiWiki-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel


Why Register?

Register at tiki.org and you'll be able to use the account at any *.tiki.org site, thanks to the InterTiki feature. A valid email address is required to receive site notifications and occasional newsletters. You can opt out of these items at any time.