Section Segmentation and User Permissions Part 2 of 2
Wednesday 02 July 2008 5:44:00 am
User – the content object
A content object is considered a "User" object if it contains an attribute of the "User account" datatype. All objects that have an attribute of this datatype will automatically become valid users. Here, we will explore this datatype and the built-in "User" class for an example user called "Bergfrid Skaara".
User account datatype
The "User account" datatype is critical to the permission system. You may think of it as the key property. It supports the validation, storage and retrieval of a username / password combination and an e-mail address. All elements are required. This is a datatype with several elements, similar to the "Image" datatype (although in that case, not all elements are required).
User account datatype
The Anonymous user
Recall that the permission system is cumulative, starting at a point of no access. A prerequisite for enforcing access control is that eZ Publish knows which policies to apply. This is determined by first checking the currently logged in user. But what if some unregistered random visitor is just browsing your pages? Browsing means that you can, at a minimum, view content. To address this situation, eZ Publish has a special-purpose user account, the Anonymous user (and corresponding user group).
Each time someone visits your site, they are silently logged in by eZ Publish, which sets the current user to "Anonymous". Then, the permission system can correctly apply the rules specified for this user (or group). If the visitor decides to log in with a personal account, the current user will be changed accordingly. This usually implies that the visitor is granted more rights, for example to submit comments, or to get access to the Website Toolbar (if he or she is an editor).
User class
The following screenshot shows an object of the "User" class in edit mode:
Object of the User class
The "Signature" and "Image" attributes are typically used in forums. Note that the username part of the "User account" attribute is grayed out, since it cannot be modified after the "User" object has been created.
User - the account and profile
Although the term "user account" technically references a datatype, it is more commonly interpreted by site visitors as the "ability to log in" and "personal space". The latter is usually referred to as the user profile in the front-end context, and as the My account tab in the Administration Interface. Note that "user profile" may also denote the information stored in the actual "User" object, such as first and last name, image and signature. In other words, editing your user profile means to edit the contents of the object holding your user account.
Your personal space provides access to change your password (without editing the profile), manage drafts and notifications, view orders and wish lists (if your site has a webshop), and access pending content waiting for approval (only in the Administration Interface) or a future publication date.
In order to access your personal space, you must log in to either the front-end or the Administration Interface. In the Website Interface, click the My profile link in the top right corner of the website. This opens the My profile page:
The My account tab of the Administration Interface gives access to all parts of your personal space:
My account tab
Note in particular the Current user window in the right area, where you can click links to bring up interfaces for changing information or your password. This panel is part of the overall Administration Interface layout, and is thus accessible from all tabs. In other words, you do not need to navigate to the My account tab in order to simply edit your profile or change your password.
User groups
A user group is a named collection of users and can contain both individual user objects and other user group objects. It is created, stored and managed as a content object of the “User group” class. Both users and user groups can be associated with a set of policies (called "roles") that determine privileges. You will find more information about this later. General rules are usually assigned to groups, whereas specific, dedicated responsibilities are assigned directly to individual users.
Predefined groups
The default groups are pre-configured and usually define the different kinds of users expected on your site. The default groups for sites that use the Website Interface are listed below:
| Group | Description |
|---|---|
| Anonymous users | Used for the Anonymous user to let unregistered site visitors view unrestricted content. |
| Members | Commonly used for community and self-registered users. |
| Partners | Used for selected users that are allowed access to the Restricted section. |
| Editors | Used for content editors, managers and webmasters. Usually restricted to the Content and Media subtrees. |
| Administrator users | Used for the site administrator with unlimited access and for advanced content managers who need access to perform site management tasks. |
Self-registered users
Self-registered users are those who have clicked the Sign up button in the Login interface or the Register link in the top right of a front-end siteaccess, and filled in and submitted the necessary user information. Such user accounts are disabled until users have clicked the link within the confirmation email sent by eZ Publish.
After clicking the confirmation link, self-registered users are activated in the Members group in sites that use the Website Interface. To gain more privileges, an advanced content manager or webmaster must move the account into another group, or assign the necessary roles to the individual account.
Managing users and user groups
The User accounts tab enables you to browse and manage nodes within the Users branch of the content node tree. This tab also provides access to the permission system so that you can view and manage roles and policies.
User accounts tab
In general, the layout of the User accounts tab follows the same principles as for the Content structure and Media library tabs. The six areas are present in their normal positions. The Search interface, main menu and path are found horizontally at the top of the page, and the left menu, main area and right area are aligned side-by-side below these elements. The left menu contains content objects belonging to the Users branch.
Managing users and user groups is done similarly to how you would manage other content objects. The same principles apply when creating, editing, viewing, copying, deleting, moving, translating and cross-publishing.