[opencms-dev] Take current user into account when calculating paths

[Christoph Fröhlich]

Hi,

as no one was able to answer, maybe my last question was too compact.
I will try to go a bit more into details. Maybe someone has an idea ...


We have a problem with configuring access control for users. 

The setup is roughly the following:
- The site is organized with container pages.
- Container pages live in folders.
- Folders belong to organization units (are assigned to the organization units as "resource").
- Container pages show one or more articles from /.content/articles
- Articles are created via ADE (drag a content type from ADE-bar and put it on container pages)
- Users belong to different organization units.

We have the following requirements regarding access control:
- Each user can edit container pages that belong to his organization unit.
- Each user can edit articles that belong to his organization unit.
- No user can edit container pages or articles that belong to other organization units.

The first requirement is fulfilled. Our setup prevent a user from editing container pages that do not belong to him.

But we can't find a way how to fulfill requirement two.
Unfortunately every user is able to edit every article, regardless on which container page it is placed on. It seems that the access rights of the container page are not being propagated down to its elements. And since all article resources live in /.content/articles – a folder where  all organization units can write to – it is comprehensible that every user is able to edit every article

I don't want to blame this behavior as a bug or bad design. To me, propagating access rights of container pages down to its elements seems to be über complex. Access rights are already difficult to maintain. So I agree totally with the decision not to inherit container page permissions to its contents. 
If we could find out how to organize article resources in subfolders (which we would then assign to organization units) I assume everything would be fine.

This is the rationale behind my following question:


Does anyone knows how we can configure ADE to create new articles not in "/.content/articles" but in "/.content/articles/[name of organization unit]" ?

Either by declaration or by implementing some Interfaces? I thought org.opencms.loader.I_CmsFileNameGenerator could be a candidate but I don't know how to configure a custom instance...

Or does anyone have a different proposal how our requirements can be fulfilled?


Sorry for writing so elaborately. Content-based publishing seems to introduce new concepts and problems. And I don't have good terms for all of them :(

Thanks and regards
Christoph



Am 15.01.2013 um 21:14 schrieb Christoph Fröhlich <cfauto at folge2.de>:

> Hi
> 
> we have a xml content type "article" and we have a site with multiple organization units.
> 
> When creating articles via ADE, we would like  that the organization unit of the current user is taken into account when the path of the new content is calculated.
> 
> For a user from OU1 the path should be: /articles/ou1/a_XXXX.html
> 
> For a user from OU2 the path should be: /articles/ou2/a_XXX.html
> 
> Is this possible?
> 
> Thanks and regards
> Christoph
>