Elxis CMS Forum
Support => Security => Topic started by: epaz on January 16, 2008, 22:24:14
-
Lets assume the following scenario: Under the "Registered users" role I have a child role "Customers" who, in turn, has 2 children, lets say "Customers of group A" and "Customers of group B". Is there any way that I can assign both roles to a user?
What I am trying to describe is a scenario that a customer (registered user) who has access to specific content according to the products that he has bought. What if a customer has bought products both from group A and group B? Is there any way that I can describe (to the CMS system) such a case?
Thanx
-
Hmm, let's see... you are saying that Customer A can't view products of Category B until he buy something from Category B. After Customer A buys something of Category B, he should be able to see both categories. Is that the scenario?
-
A user can belong only to one group. He can have access to other groups but belong only to one.
You are using this groups hierarchy:
- Registered
--- group A
--- group B
- group C
As groups A and B are of the same level, a user that belongs to group A can not have access to group B and the opposite. But user C has access to both A and B. Maybe this is the solution for you. In your case I would nt try to solve this problem with ACL.
-
Help me understand this...Group C is sibling (same level) to Registered or a child of it? In any case how is it possible user C to have access to group A or group B content?
I will make some statements and I would like you to mark them as Correct or Wrong:
1. If group C is sibling to Registered then user C should not be able to access group A or group B content
2. If group C is a child of Registered having no relationship with group A or B then user C should not be able to access group A or group B content
3. If group C is a child of Registered having group A and group B as children then user C should be able to access group A or group B content
Not using ACL? Have you any suggestions?
Thanx
-
I can not understand why you want to assign users based on products they purchased! After a purchase you change the user's group? If you explain what you need for your web site I might be able to help you.
-
Suppose that I have 2 product groups, group A (for small enterprises) and group B (for medium enterprises). All my customers belong to the generic group "Registered" when they first create an account. After that step, I take a look at the products each one has bought and I want to make him a member of either group A or group B. Until now everything is clean. One of my group A customers make a new purchase of a group B product (his enterprise has grown, lucky him!) so I want to leave him as a group A customer BUT I want to make him a group B member in order to let him access content specific to group B (lets say free downloads for group B products).
The story has to do with the commercial policy that the company is trying to work with...
-
If I understand well, you actually want to create system where Group A is the child of Group B. So, when user advances from user Group A to user Group B, he can access all Group A content + Group B content.
-
No.
Consider that group A and group B are of the same level. No relation to each other except that they have the same parent. Totally different content is accessible when a user is a member of the one or the other.
-
So you want to create a situation where user is a member of TWO groups at the same time! Hm, very interesting problem. I think it cannot be done, but you can create Group C with permissions that are "in between".
-
OK, I will give you a glimpse of Elxis advanced features and how you can play with ACL...
You don't need to assign users to special groups for that although I will show a way that makes use of 2 groups. You can do it like this:
Add a hidden field to users named extragids or something like this.
This field will contain a comma seperated list of groups this user is allowed to access EXCEPT the ones he is normally allowed.
Make all users registered. When they purchase something you have marked as in group A (gidA) edit his profile and add to the extragids the gidA. If he purchase something from groupB add also the gidB. So the extragids user field should be like this: gidA,gidB (i.e. 34,35)
After a user is logged in append the extra groups to the users allowed gids.
Example:
$myarr = explode(',', $my->allowed);
if ($extragids != '') {
$exarr = explode(',', $extragids);
foreach ($exarr as $ex) {
array_push($myarr, $ex);
}
$my->allowed = implode(',',$myarr);
}
So:
Registered users allowed groups before: '29,18'
Registered users allowed groups after: '29,18,34,35' (he has purchased from groupA and groupB)
Registered users allowed groups after: '29,18,34' (he has purchased from groupA)
Registered users allowed groups after: '29,18,35' (he has purchased from groupB)
You can also make this addition of the extragid automatically if you modify your purchasing script...
I think I told enough, this issue is outside the support I provide for free.
-
Thank you very much for the support. Having a broad experience on the needs of a commercial company I can tell you that such scenarios are very common to those that they keep an eye on their customer and want to have them satisfied. So my suggestion is to extend elxis with such a functionality. It will be far from the other competitors at ACL features.
-
Any PHP developer that knows Elxis internal features can do it easily. Elxis default distribution has a certain build type. You can change it very easily and make it do what ever you wish.
-
As I have said in a previous post, I am new to exlis. Can you explain what you mean saying "certain build type". Guided by the code snippet that you have provided, I have found the spot where I can inject my code and make it work but before that I want to exactly understand the terminology you (the community) are using.
Thanx
-
Though you haven't clarified the term "build type" I would like to publish what I have found during last days.
Well, I have injected a code with takes the "allowed" groups that the elxis engine constructs and extends it so to contain groups that I desire. From what I have seen all the queries against the database use a syntax like "....and access IN (".$my->allowed.") and ....". So here is my thought: Provide a web control where the user will be able to multi select groups and assigned them to a user (instead of the single select "tree like" list that exists now) and elxis will have a multi group acl support.
What do you think?
As I have said in a previous post, I am new to exlis. Can you explain what you mean saying "certain build type". Guided by the code snippet that you have provided, I have found the spot where I can inject my code and make it work but before that I want to exactly understand the terminology you (the community) are using.
Thanx
-
DON'T DO IT! YOU WILL MESS UP EVERYTHING!
$my->access is not just a group of random user groups! It describes in a simple and understandable by the usual user way the results of the hierarchy tree settings for a selected user. ACL is a very difficult subject. Don't play with ACL more than the point you are absolutely sure that you know what are you doing. The small hack I told above is an ACL trick that runs on runtime, it does not affect Elxis core, and only under some certain circumstances. What you said is a total destroy of ACL and outside the way ACL is build and used. Each group is a kind of room. You can be inside a room than is inside in an other, bigger room, but you can not be inside 2 rooms that they have nothing common! The "inners" groups you are is what the $my->access describes.
-
Hold on my friend. You have understood my point. The query portion that I have provided is an example to show that the $my->allowed property is used in "IN" statements. I am not "playing" with ACL I know very well how critical and tricky ACL is.