Versions Compared

Old Version 12

changes.mady.by.user Guillaume LEPICARD

Saved on

compared with

New Version Current

changes.mady.by.user Guillaume LEPICARD

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

<version>/<domain>/<action>/[modifiers]+For instance named

Example: A pkgsecupremission instance is defined with following with properties:

  • name: “Update owned offline“

...

  • permission: v1/objectdata/update/$offline/$selfowner

...

Such permission grants to update instances in an offline status (status is not online and not archived) that he the operating user owns (object.owner == surfer.id)

Patterns

  • version: The only available version for patterns is v1 but introducing a version in patterns will ease further improvements and ease ascendent compatibility. Until new versions are available, just keep in mind that natively handled permissions start with “v1”.

  • domain: The domain of the security rule that this permission will act on. As of

    Status
    title2021.3.0
    , objectdataand boards are handled.
    Since
    Status
    title2022.3
    , objectactions and applications domain are handled

  • action: The action within the domain that this permission will act on. As of

    Status
    title2021.3.0
    , all actions from objectdata domain can be handled.
    modifiers: Modifiers will define the Since
    Status
    title2022.3
    , new actions added to objectdata and objectactions are handled.

  • modifiers: Modifiers will define the context for which the action will be granted. Modifiers vary from one action to the other:

    • objectdata

      • insert action: 1 modifier is to be defined: creationMode. Therefore, all insert permissions follow this pattern: v1/objectdata/insert/<creationMode>

      • changestatus action: 3 modifiers are to be defined: workflowAction, instanceStatus, ownership. Therefore, all changestatus permissions follow this pattern: v1/objectdata/changestatus/<workflowAction>/<instanceStatus>/<ownership>

      • other objectdata actions (delete, i18nfieldstranslate, order, retrievecaption, update, view): 2 modifiers are to be defined: instanceStatus, ownership. Therefore, all those actions follow this pattern: v1/objectdata/<action>/<instanceStatus>/<ownership>

    • boards

      • makepublicboard action: No modifiers - permission is granted or not

      • shareboard action: 3 modifiers are to be defined: boardVisibility, boardType, ownership,

    • applications (since

      Status
      title2022.3
      )

      • isavailable action: 1 modifier is to be defined: applicationName. Therefore, all isavailable permissions follow this pattern: v1/applications/isavailable/<applicationName>

Modifiers

Each modifier supports specific keywords to finely define the context.

...

Ownership allows to limit a permission to the owner property of an instance. 2 7 keywords are available

  • $selfowner: User must be the owner of the instance to be able to perform an action

  • $anyowner: No restriction on ownership

  • $boardcollaborator: Specific to boards domain - Identify the surfer as a collaborator on a board

...

  • $teammember:

    Status
    colourPurple
    titlesince 2024.1
    Allows to check whether the surfer is part of the field team (team is a child multi on user). This requires the structure to have the pkg/security/collaborative config tag

  • $teamleader:

    Status
    colourPurple
    titlesince 2024.1
    Allows to check whether the surfer is denoted in the field jobowner. This requires the structure to have the pkg/security/collaborative config tag

  • $teamviewer:

    Status
    colourPurple
    titlesince 2024.4
    Allows to check whether the surfer is part of the field viewers (viewers is a child multi on user). This requires the structure to have the pkg/security/collaborative config tag.
    Caution, $teamviewer ownership can only be used with view action

  • $public:

    Status
    colourPurple
    titlesince 2024.4
    Allows to check whether the instance is NOT private →private field as a child activated = 2. This requires the structure to have the pkg/security/collaborative config tag.

Groups pkgsecugroup

Groups allow to centralize multiple permissions on one or many objects, for one or many roles and one or many users.

...

It is possible to automatically extend some bases with the ones provided by the plugin:

  1. Set plugin parameter extend_bases to true

  2. Make sure extended_bases references to the coma-separated list of bases you want the plugin to extend (base_list,base_search by default)

  3. Make sure extend_with references the coma-separated list of bases you want to use to extend the extended_bases list of bases (base_pkgsecurity_view by default)

By doing so, you will be instructing the plugin to extend base_list and base_search with base_pkgsecurity_view for each object.

...

Preventing bases for Developers to be extended

Given that

  1. extend_bases = true

  2. extended_bases = base_list,base_search

  3. extend_with = base_pkgsecurity_view

To deactivate the extension for all objects for role 4 (and therefor to be able to see any instance), you can define the config to:

...

@pkgV1ObjectActions is defined to check for an objectname if some permissions were given to a user for the corresponding objectdata action → No additional configuration is required on objectactions: an action from objectactions domain will be granted if some permissions were given on objectdata

Equivalences

objectactions action domain

tested objectdata action

create

insert

Check for existence of either

objectdata/insert/$anycreation
or
objectdata/insert/$newcreation

damimport

massimport

multiupdate

update

Check for existence of
objectdata/update/*

datavaluespicker

broadcastVideo

broadcastVideo

Check for existence of
objectdata/broadcastvideo/*

defineVideoPoster

defineVideoPoster

Check for existence of
objectdata/definevideoposter/*

delete

delete

Check for existence of
objectdata/delete/*

editPicture

editPicture

Check for existence of
objectdata/editpicture/*

editVideoChapters

editVideoChapters

Check for existence of
objectdata/editvideochapters/*

editVideoSubtitles

editVideoSubtitles

Check for existence of
objectdata/editvideosubtitles/*

embed

embed

Check for existence of
objectdata/embed/*

manageVideoCallToActions

manageVideoCallToActions

Check for existence of
objectdata/managevideocalltoactions/*

manageVideoRolls

manageVideoRolls

Check for existence of
objectdata/managevideorolls/*

order

order

Check for existence of
objectdata/order/*

sliceVideo

sliceVideo

Check for existence of
objectdata/slicevideo/*

Cheat sheet

Find for each managed domain / action, the permission pattern

domain

action

permission pattern

applications

isAvailable

v1/applications/isavailable/:applicationName

boards

makePublicBoard

v1/boards/makepublicboard

boards

shareBoard

v1/boards/shareboard/:boardVisibility/:boardType/:ownership

objectdata

broadcastVideo

v1/objectdata/broadcastvideo/:instanceStatus/:ownership

objectdata

changeStatus

v1/objectdata/changestatus/:workflowAction/:instanceStatus/:ownership

objectdata

defineVideoPoster

v1/objectdata/definevideoposter/:instanceStatus/:ownership

objectdata

delete

v1/objectdata/delete/:instanceStatus/:ownership

objectdata

editPicture

v1/objectdata/editpicture/:instanceStatus/:ownership

objectdata

editVideoChapters

v1/objectdata/editvideochapters/:instanceStatus/:ownership

objectdata

editVideoSubtitles

v1/objectdata/editvideosubtitles/:instanceStatus/:ownership

objectdata

embed

v1/objectdata/embed/:instanceStatus/:ownership

objectdata

i18nFieldsTranslate

v1/objectdata/i18nfieldstranslate/:instanceStatus/:ownership

objectdata

insert

v1/objectdata/insert/:creationMode

objectdata

manageVideoCallToActions

v1/objectdata/managevideocalltoactions/:instanceStatus/:ownership

objectdata

manageVideoRolls

v1/objectdata/managevideorolls/:instanceStatus/:ownership

objectdata

order

v1/objectdata/order/:instanceStatus/:ownership

objectdata

retrieveCaption

v1/objectdata/retrieveCaption/:instanceStatus/:ownership

objectdata

sliceVideo

v1/objectdata/slicevideo/:instanceStatus/:ownership

objectdata

update

v1/objectdata/update/:instanceStatus/:ownership

objectdata

retrieveCaption

view

v1/objectdata/

retrieveCaption/:instanceStatus/:ownership

objectdata

sliceVideo

v1/objectdata/slicevideo/:instanceStatus/:ownership

objectdata

update

v1/objectdata/update/:instanceStatus/:ownership

objectdata

view

v1/objectdata/view/:instanceStatus/:ownership

Find available values for modifiers

modifier

value

description

applicationName

<name>

Name of the application (BackOffice → bo...)

boardVisibility

$publicboard

A board that is not private

$privateboard

A private board

$anyvisibilityboard

A board private or not

boardType

$anyboardtype

Any type of board

<type>

A board of type <type>

creationMode

$newcreation

Only fresh new instances

$copycreation

Only copies

$anycreation

Any mode

instanceStatus

$online

An online marked state

$archived

An archived marked state

$offline

A state that is neither marked online not archived

$initialstatus

The initial state of the instance (usually = 2)

$anystatus

Any state

<customMetaStatus>

A custom meta state

<statusID>

The ID of a status

ownership

$selfowner

User must be the owner of the instance to be able to perform an action

$anyowner

No restriction on ownership

$boardcollaborator

Specific to boards domain - Identify the surfer as a collaborator on a board

view/:instanceStatus/:ownership

Find available values for modifiers

modifier

value

description

applicationName

<name>

Name of the application (BackOffice → bo...)

boardVisibility

$publicboard

A board that is not private

$privateboard

A private board

$anyvisibilityboard

A board private or not

boardType

$anyboardtype

Any type of board

<type>

A board of type <type>

creationMode

$newcreation

Only fresh new instances

$copycreation

Only copies

$anycreation

Any mode

instanceStatus

$online

An online marked state

$archived

An archived marked state

$offline

A state that is neither marked online not archived

$initialstatus

The initial state of the instance (usually = 2)

$anystatus

Any state

<customMetaStatus>

A custom meta state

<statusID>

The ID of a status

ownership

$selfowner

User must be the owner of the instance to be able to perform an action

$anyowner

No restriction on ownership

$boardcollaborator

Specific to boards domain - Identify the surfer as a collaborator on a board

$teamleader

User is referenced on jobowner field (child → user)

Requires pkg/security/collaborative on structure

Status
titlesince 2024.4

$teammember

User is referenced on team field (cmlr → user)

Requires pkg/security/collaborative on structure

Status
titlesince 2024.4

$teamviewer

User is referenced on viewers field (cmlr → user)

Requires pkg/security/collaborative on structure

Status
titlesince 2024.4

$public

Instance has property private equals to false

Requires pkg/security/collaborative on structure

Status
titlesince 2024.4

workflowAction

$publish

Publishing action: performing a workflow action that will move the instance in an online marked state

$archive

Archiving action: performing a workflow action that will move the instance in an archived marked state

$forward

Forward action: performing an action marked forward, and that will not lead to online or archived marked state.

$backward

Backward action: performing an action NOT marked forward, and that will not lead to online or archived marked state.

$process

Any process action: performing that will not lead to online or archived marked state.

$anyaction

Any workflow action (including publishing and archiving actions)

<actionName>

If none of the above keywords, the action name is taken as is and resolved base on the instance’s workflow

Further reading

Rights and roles To learn how the default application is configured in terms of roles and permissions

Roles & Permissions To learn how you can use a dedicated user interface to configure roles and permissions