Multi-category how to check access-rights?

With this i mean the following:

If we want to give maintainers specific edit, publish, create rights then there is at this moment no way to do correctly when you're using multi-category's.

aldo an event can be linked to multiple category's, the problem is that the access-rights can be different.

For example: what to do if:
- event +cat1 + group2 (user1, edit right)
- event +cat2 + group1 (user1, no edit right)
how to check in what category we're?

not sure about this situation and perhaps some other example would be better but well the multi-cat thing is an issue.

when using single-category's there won't be a problem at all cause things can be specified/checked much more easier. for example we can pass the catid of the event and check that one. as there 1 category linked to it and you don't have to deal with different variances that's no problem.

This was probably the reason why editing for maintainers was not integrated within EL. The other thing checking for creating rights is a bit better to check so it makes sence that one was integrated.

so if you want to have specific-rights for the maintainers I definately would recommend to use single-cat's (+some modification to do). but perhaps the access-rights can be defined in some other way.

so the question is there:
- are there any idea's?

Further note:

We can define actions for the event-page but as said it can be linked to a category with different user-rights. We can define the action based upon the event-id but again it can give trouble. Or am i wrong with that?

The thing is that at the moment i've redefined the event-maintainerrights. it's checking the event-id but at the moment i'm not that sure if it should be uploaded as it can give unwanted things when using the multi thing.

Another draw-back with this multi-thing is that we can't use the internal Joomla access-thing to the fullest and probably have to rewrite a bunch of code. so that's also a drawback and definately something to think of. And besides the access-thing then can be more issues.

so perhaps we have to outweigh the benefits against the drawbacks of using the multi-cat. (my opinion about it is clear).

//
just some points...

Hi Bluefox,

this is a good question with potential to a big discussion.

I found out too that JEM (like EL) doesn't support Joomla's new ACL system. So it is not possible to create new access levels on Joomla and set this in category - only default levels 1 (public), 2 (registered) and 3 (special) are supported. On the other side JEM supports user groups as a parallel mechanism (for venues only? I only see options to create, publish and edit venues, is this correct?).

But at abstract level I would say:
- if a user is authorized to create events, he should be able to attach them to categories he is able to see
- if a user is authorized to edit an event, he should be able to do so as long as there is at least one categrory he can see - because there is a way giving him the right.
- an super user should be able to do anything anywhere (I remember there was something confusing me - you could take a look at github issue 369

Regarding venues I'm not very clear at the moment - I should refresh my brain...

One point I forgot:

We can use subcategories. What's about groups attached to parent? Are the rights derived?

@Hoffi,.
Thx for responding

potential to a big discussion.

Definately, and it will lead to headaches.

I found out too that JEM (like EL) doesn't support Joomla's new ACL system

Actually Jojo and others did mention several times to integrate the ACL thing but you're right it's not integrated. The backend is looking a bit at it but the front is not implemented. And it will stay for a while like that till someone finds the solution for it. The ACL thing can be implemented a bit, but think assigning specific rights can't be done without a lot of code tweaking. One thing for sure: I won't look at it for a while.

The thing is that with the cat-id within the event-table (Joomla-way) and doing so using single-cats it would have much easier to integrate permission-checking and other things. As it's a special feature of JEM perhaps it's something we should keep so was wondering what the opinion is about it or how we can make the multi-cat to work.

I only see options to create, publish and edit venues, is this correct?

You're right with that and it was meant as a temporary solution, it are global rights.

if a user is authorized to create events, he should be able to attach them to categories he is able to see
- if a user is authorized to edit an event, he should be able to do so as long as there is at least one categrory he can see - because there is a way giving him the right.

True, and infact did refactor/alther the user.class for the event-maintainers to do just that. But didn't upload the changes as there can be problems with that.

For example: event with two categorys
- the maintainer is assigned to 1 category.
- if the maintainer is allowed to edit the event it will see 1 category or should it see both?
- but what if it saves the event? should the event only have that 1 category to it or also the other?
And there are probably more situations around.

Are the rights derived?

No, they probably won't.

About the venues: a thing can be to assign category's to them.

//
Perhaps i'm just thinking way to difficult and is there an way to make the multi-cat to work with specific permissions.

Hi Bluefox,

For example: event with two categorys
- the maintainer is assigned to 1 category.
- if the maintainer is allowed to edit the event it will see 1 category or should it see both?
- but what if it saves the event? should the event only have that 1 category to it or also the other?
And there are probably more situations around.

Thinking with roles could help a bit.
If user A is able to edit an event attached to categories A and B but he would not be allowed to attach event to category B he should not be able to unattach from category B. There was another user B which had made the relation between this event and category B. But user A should be able to edit the event itself.
So I think user A should see all categories attached (and attachable by him) to event, but not able to change attachment to "foreign" categories - don't know if this is implementable.
Another question is deletion. Can user A delete it's own event if it is attached to a category user A has no edit/delete rights?
Or what's about categories now unpublished? As far as I remember it is not possible to unattach unpublished category (neighter as Super user ).

Another aspect are the pitiable administrators. Multiple categories are a nice feature but make administration much more complex.
Maybe some hard restrictions could help keeping things a bit more simple. E.g. by grouping categories so it is not allowed to attach events to categories with different user groups. Or let admin decide if he needs multi-cat events OR differentiated access rights. Or write a disclaimer. :laugh: