Share » Forums » Setup & design » one user is in vacation or sick and...

one user is in vacation or sick and another user should take over his work...

one user is in vacation or sick and another user should take over his work...

Saturday 17 April 2004 2:38:03 am - 5 replies

Author Message

Gunnstein Lye

Monday 19 April 2004 7:46:02 am

A user can be placed in as many groups as you want. He/she will get all the roles assigned to all the groups.

If you have role policies based on object ownership, then it will be very hard to transfer the rights. A user group for each user would help, but will be much work to maintain if you have many users. Also, you would have to change your roles to not use object ownership as access criteria.

Changing eZ publish so that a user "has" the user ID of several users would be a lot of work, and very dangerous in terms of security. Allowing user A to view user B's notification and collaboration items would also be very hard.

The easiest solution in this case is to give B's password to A when B is away.

Thomas Nunninger

Monday 19 April 2004 10:48:27 am

Hey Gunnstein,

thank you for your answer. Giving away the passwort is not a really serious solution. Even if your suggestion would be acceptable there is the problem that I always need to log in into different accounts - I would do this only once a day - not really in time...

I spent almost the whole day on this problem - trying to find out how for example the pendinglist works. Now I have an idea...:

In the file 'kernel/content/ezcontentfunctioncollection.php' the function fetchPendingList() is defined. This function calls eZPersistentObject::fetchObjectList() with the following condition for the database query:

array('creator_id' => $userID, 
      'status' => EZ_VERSION_STATUS_PENDING)

If I'm right, I just need to replace $userID with an array of the relevant user ids - that is: I need one function, searching the relevant IDs in a content class belonging to this feature.

Then I searched for 'creator_id' in the whole code finding 51 places, which I have to look at if this piece of code is relevant for such a feature. Additionally to the 'creator_ids' I need to collect the additional roles for the user - but I think this should be a thing that could be solved much more central (probably in the ezRole class...)

In the end I just need some additionaly templates in the admin interface to transfer temporary the rigths of one user to another one...

There are just some additional questions I need to test; e.g. if User B creates a new version of an object of User A: who is / should be the owner of that object?

What do you think?

Thank you and have a nice day

Thomas

Gunnstein Lye

Tuesday 20 April 2004 12:28:15 am

I know that giving away the password is not ideal, but it is safer than the alternative. Remember, if you do these changes, then it may get very difficult to upgrade eZ publish later. Also, you may get security and stability problems. It depends on how much work you are willing to do to achieve what you want, of course. Anyway, good luck.

AFAIK, owner/creator id is set on creation of an object, and is never changed.

Paul Borgermans

Tuesday 20 April 2004 1:12:08 am

Hi,

Here we have a similar situation implemented, but only for secretaries to be able "to take over" the role of certain users. This is coupled to our specific use of hierarchies and extra attributes defined for users (not applicable for you).

There is also a "super user password" functionality which can be used to login as any user (known only to the admins of course). This is all implemented in a custom login handler, so it does not interfere with future upgrades. The idea is very simple: first compare the password used to a set of predefined passwords in a dedicated ini file (store password hashes, not the bare text passwords), if it matches, the login is granted. If not it is checked the regular way (in our case against a LDAP server). It is very useful to test roles for users.

An even better way would be to implement a "login as ... " functionality in a seperate module so you can define a new policy to enable this in certain roles. Thats more work of course.

hth

-paul

eZ Publish, eZ Find, Solr expert consulting and training
http://twitter.com/paulborgermans

Thomas Nunninger

Tuesday 20 April 2004 1:26:03 am

Hey Paul, hey Gunnstein,

thank you for your ideas.

When we where discussing the solutions we found the problem of upgrading to. Because of that we decided not to do this.

Paul, your idea is good. We also thought about a similar way: changing the user object of the current session. This means: you log in with your own password and then you have the possibility to switch in the other user's identity. Both ways would be a more central solution than our first idea.

Thank you and have a nice day

Thomas

You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu