01-12-2010, 09:05 PM
varjak
2008-10-22 22:52:17 PDT
Hi Folks,
Installed and using ODM for a few weeks now with good results but have just encountered a problem you maybe can help me with.
Here's the order of events
3 users were setup in a department "dept1" say.
A number of documents loaded with "view" permissions set for "dept1" department
If I browse->by department I see those docs for dep1 and the 3 initial users cab see the documents and have correct access rights to them. So far so good...
When I add a new user to the Dept1 group though, and log in as that new user, I can see all the files in list form but they are locked out from any viewing. Their permissions show -|-|- and the user can only see the "history" option on the file details page.
Looks like I have a problem with the dept permissions for these files as adding a new user to the department doesn't "inherit" the correct access rights..
I'm going to start checking the table fields but wondered if you have any advice on this?
Cheers.
varjak
2008-10-22 23:33:44 PDT
Further investigation shows that the dept_perms table has an entry which shows the correct rights for the dept for these files.
The user_perms table doesn't have any records relating to access rights for the new user so it looks like the file access is being controlled at user level and not department level.
If this is the case, it poses a problem for us as we don't want to have to reset all the user rights on every document when we add a new user to a dept.. We need to control this at department level.
How can we ensure that adding a new user to a dept automatically grants them access to that departments files??
Cheers,
James
jonathanwminer
2008-10-23 06:00:22 PDT
Hi James -
Based on my experience, as our ODM deployment has grown, we've added both users and documents, and I don't believe I've come across the problem you describe. I do have problems where people set a document to be "viewed", instead of "read"...
- Jon
varjak
2008-10-27 17:06:14 PDT
Thanks for the input Jon,
It seems that all our docs have the dept rights set to 1 (view) and when I updated all those rows to be 2 (read). I got the behaviour I was looking for. New dept users can see the documents with correct permissions.
These rights should have been set when the document was loaded though so something appears to be going wrong on the doc load.
I added some test docs and specifically set the dept permissions to either read or write and then checked the dept_perms table only to find that the dept entries still only had "view" rights. I had to go back into the doc details in ODM and update the permissions for them to be updated in the db.
So it appears (for my db instance anyway) that on the initial load of a document, the dept permissions you set are being ignored and a default of 1 (view) is being applied. I can use the ODM interface to then update the dept permissions correctly but we don't really want to have to go back and do that when loading each document.
I'll have a look at the source code that's creating the dept_perms record when adding a new document and see if I can work out why it's defaulting to view - (maybe someone else has already found and modified this??)
Can anyone tell me exactly what the difference between view and read is. I'm presuming view is when you can see the records exist but cant access them in any way (even to read them) and read is the same but with access to open and read the document?? Would that be right?
Thanks,
James
varjak
2008-10-27 18:35:44 PDT
After having a look at the php;
Looks like edit.php is behaving ok and committing the correct dept authority selections to the db but add.php looks like it's got a problem.
Looks like it doesn't matter what dept authority is selected when adding a doc, there are only 2 dept rights values that will be inserted;
There is a piece of code between lines 323 and 333 in add.php;
$query = "SELECT name, id FROM department ORDER BY name";
$result = mysql_query($query, $GLOBALS['connection']) or die ("Error in query: $query. " . mysql_error());
while( list($dept_name, $dept_id) = mysql_fetch_row($result) )
{
if($dept_id == $current_user_dept)
echo "\n\t".'<input type="hidden" name="'. space_to_underscore($dept_name).'" value="1"> '."\n";
else
echo "\n\t".'<input type="hidden" name="'.space_to_underscore($dept_name).'" value="0"> '."\n";
}
echo "\n\t".'<input type="hidden" name="default_Setting" value="0"> '."\n";
mysql_free_result ($result);
This chunk seems to determine the initial dept rights for a newly loaded doc (1 if the dept id the same as the current user and 0 if it's not). I edited the numbers to ensure that the initial dept rights change accordingly and they do.
Commenting out this chunk results in "0" rights for all departments when adding a doc so I'm going to have a further look at the method of of grabbing the dept rights from the form as I've definitely got a problem in this area. Maybe others do too??
It may take me some time to have a close look at this area so welcome any other help in the meantime.
Thanks,
James
2008-10-22 22:52:17 PDT
Hi Folks,
Installed and using ODM for a few weeks now with good results but have just encountered a problem you maybe can help me with.
Here's the order of events
3 users were setup in a department "dept1" say.
A number of documents loaded with "view" permissions set for "dept1" department
If I browse->by department I see those docs for dep1 and the 3 initial users cab see the documents and have correct access rights to them. So far so good...
When I add a new user to the Dept1 group though, and log in as that new user, I can see all the files in list form but they are locked out from any viewing. Their permissions show -|-|- and the user can only see the "history" option on the file details page.
Looks like I have a problem with the dept permissions for these files as adding a new user to the department doesn't "inherit" the correct access rights..
I'm going to start checking the table fields but wondered if you have any advice on this?
Cheers.
varjak
2008-10-22 23:33:44 PDT
Further investigation shows that the dept_perms table has an entry which shows the correct rights for the dept for these files.
The user_perms table doesn't have any records relating to access rights for the new user so it looks like the file access is being controlled at user level and not department level.
If this is the case, it poses a problem for us as we don't want to have to reset all the user rights on every document when we add a new user to a dept.. We need to control this at department level.
How can we ensure that adding a new user to a dept automatically grants them access to that departments files??
Cheers,
James
jonathanwminer
2008-10-23 06:00:22 PDT
Hi James -
Based on my experience, as our ODM deployment has grown, we've added both users and documents, and I don't believe I've come across the problem you describe. I do have problems where people set a document to be "viewed", instead of "read"...
- Jon
varjak
2008-10-27 17:06:14 PDT
Thanks for the input Jon,
It seems that all our docs have the dept rights set to 1 (view) and when I updated all those rows to be 2 (read). I got the behaviour I was looking for. New dept users can see the documents with correct permissions.
These rights should have been set when the document was loaded though so something appears to be going wrong on the doc load.
I added some test docs and specifically set the dept permissions to either read or write and then checked the dept_perms table only to find that the dept entries still only had "view" rights. I had to go back into the doc details in ODM and update the permissions for them to be updated in the db.
So it appears (for my db instance anyway) that on the initial load of a document, the dept permissions you set are being ignored and a default of 1 (view) is being applied. I can use the ODM interface to then update the dept permissions correctly but we don't really want to have to go back and do that when loading each document.
I'll have a look at the source code that's creating the dept_perms record when adding a new document and see if I can work out why it's defaulting to view - (maybe someone else has already found and modified this??)
Can anyone tell me exactly what the difference between view and read is. I'm presuming view is when you can see the records exist but cant access them in any way (even to read them) and read is the same but with access to open and read the document?? Would that be right?
Thanks,
James
varjak
2008-10-27 18:35:44 PDT
After having a look at the php;
Looks like edit.php is behaving ok and committing the correct dept authority selections to the db but add.php looks like it's got a problem.
Looks like it doesn't matter what dept authority is selected when adding a doc, there are only 2 dept rights values that will be inserted;
There is a piece of code between lines 323 and 333 in add.php;
$query = "SELECT name, id FROM department ORDER BY name";
$result = mysql_query($query, $GLOBALS['connection']) or die ("Error in query: $query. " . mysql_error());
while( list($dept_name, $dept_id) = mysql_fetch_row($result) )
{
if($dept_id == $current_user_dept)
echo "\n\t".'<input type="hidden" name="'. space_to_underscore($dept_name).'" value="1"> '."\n";
else
echo "\n\t".'<input type="hidden" name="'.space_to_underscore($dept_name).'" value="0"> '."\n";
}
echo "\n\t".'<input type="hidden" name="default_Setting" value="0"> '."\n";
mysql_free_result ($result);
This chunk seems to determine the initial dept rights for a newly loaded doc (1 if the dept id the same as the current user and 0 if it's not). I edited the numbers to ensure that the initial dept rights change accordingly and they do.
Commenting out this chunk results in "0" rights for all departments when adding a doc so I'm going to have a further look at the method of of grabbing the dept rights from the form as I've definitely got a problem in this area. Maybe others do too??
It may take me some time to have a close look at this area so welcome any other help in the meantime.
Thanks,
James