#009416: User selfedit no longer works

Description:

I created a role with the following policies :

  • content / read / no limitation
  • user / login / siteaccess mysite_admin
  • user / selfedit / no limitation
  • user / password / no limitation
  • user / preferences / no limitation

When I log in with a user with this role assigned to him, a click on "Change Information" gives me an eZp Kernel 1 error

I should be able to edit my user profile.

If I add content / edit / class(user), I can, but for all other users too.

It seems that kernel/content/edit.php don't use eZContentObject::canEdit() anymore (it was the case in eZp3.6), though only eZContentObject::canEdit() check for the selfedit policy (eZContentObject::checkAccess doesn't).


Environment:

Operating System: Linux Debian
PHP Version: 4.4.4
Database and version: MySQL 4.1


- Attachments

No attachments for this issue.


- Comments

Tested in 3.8.7(stable 3.8, rev 17438)

#250334 by Lenara Anafieva on November 16th, 2006 [Permanent Link]

Fixed in stable/3.8 (3.8.7) rev. 17517,
trunk (3.9.0rc2) rev. 17518.

#250378 by Vladimir Polyanin on November 17th, 2006 [Permanent Link]

Why not using content/edit, class(user), owner(self) instead, since the user/edit view is deprecated? I think user/selfedit should be deprecated too.

#250379 by Kristof Coomans on November 17th, 2006 [Permanent Link]

Because the user's contentobject is not owned by the user itself if it has been created by another user (an admin one for example) or by the LDAP process.

So selfedit is very useful.

And I don't agree with you that user/edit is deprecated : look at ez.no's "my profile" link ;)

#250382 by Vincent Lepot on November 18th, 2006 [Permanent Link]

Oh and thanks Vladimir for the fix. I hope 3.8.7 will come very soon

#250383 by Vincent Lepot on November 18th, 2006 [Permanent Link]

Hi Vincent

There's code in eZContentObject::checkAccess that takes care of this.


else if ( $this->attribute( 'owner_id' ) == $userID || $this->ID == $userID )
{
    $access = 'allowed';
}

And user/edit is definitely deprecated according to a comment in kernel/user/module.php.

#250385 by Kristof Coomans on November 19th, 2006 [Permanent Link]

As I consult with team, user/selfedit permission allows each user to edit his own profile only without any addition edit-permissions.
Change user-contentobject owner to himself for allowing self profile edition looks some strange, cause such users possibly will have no any edit-permission except own profile. Using owners access rights to improve selfedit permissions is too compicate for admin in confront with owner-independent selfedit.

#250395 by Vladimir Polyanin on November 20th, 2006 [Permanent Link]

I agree with Vladimir.

the user/selfedit policy is a better solution than tricking the owner limitation of the content/edit policy. The selfedit right is very useful and much more understandable for an eZ publish administrator.

And if user/edit is deprecated, I think a similar right is needed for user object reading (permitting the use of content/view with an "only me" limitation).

#250396 by Vincent Lepot on November 20th, 2006 [Permanent Link]

- History
Load History
Properties
Type Bug
Priority Medium
Components Administration Interface
Misc
Affects 3.8.6
Fix Versions 3.8.7
3.9.0rc2
Reporter Vincent Lepot
Responsible Vladimir Polyanin
Status 0 Closed
Resolution Fixed
Created November 14th, 2006
Updated November 20th, 2006
Resolved November 17th, 2006
 
Navigation [Permanent Link]
Previous Issue
Back to Issues List
Next Issue: #019127
  DB Deadlocks on ezcontentobject_tree when updating subnode