Security Advice needed, re: Group vs Category
Security Advice needed, re: Group vs Category
Hi.
Now that I've done a clean install from your download files, I'm finding your blog software really cool, easy to use, and easy to configure. Thank you for a great product.
Advice I can offer so far to other newbies. Using that easy-peezy-lemon-squeezy control-panel install from your hosting provider will probably make your life harder, not easier.
Ok, now, one thing I'm having trouble with is the security strategy that pulls categories in with groups.
It may be that I'm trying to make blog software serve in a roll of document-management and that I'm trying to turn a screw with a hammer.
Groups are great, let's say:
Visitors
Acquaintances
Friends
Good Friends
Best Friends
I want the same set of content-categories to show for each of these groups (even if there are only one or two people in there... ahem... ). Depending on what category, or set of categories they choose to view, I want them to see all the messages to which their group has been given access.
As a newbie, and un-initiated, I want to think this would require View and Comment attributes to be specifiable for each message. It would be fine with me if these attributes each held only a single security group. I don't mind making people members of multiple groups depending on where they are in the hierarchy (e.g. Friends are members of "Friends", "Acquaintances", and "Visitors" groups).
I've messed with the category hierarchy, but that either spreads a single content-category over multiple security branches of the tree, or it spreads a given security-group over a multiple content-categories of a tree. Either way (I think), the visitor will have to click into multiple combined security/content categories to see all the message in a given content-only category.
I suppose you could place a given message in multiple security-categories for the same content-category but this would seem even more tedious than just saying what group gets to read, and what group gets to comment. Also, since content-categories are listed on each entry, this would certainly clutter up the display. And what a mess if your entry fits into multiple content-categories.
Also, having a tree of security-over-content, or content-over-security would multiply the categories listing on the side of the blog listing-screen. In essence, no matter how you do it, you'd have a list of security- multiplied by content-category categories in the listing.
I notices that the category plug in lets you limit your blog to a single root-level branch (or a single ANY level branch), but I haven't been able to figure out how to make that work to resolve the issues alluded to above...
That's why I'm here, hat in hand, asking for your advice....
Thanks if you can help.
-djr
Now that I've done a clean install from your download files, I'm finding your blog software really cool, easy to use, and easy to configure. Thank you for a great product.
Advice I can offer so far to other newbies. Using that easy-peezy-lemon-squeezy control-panel install from your hosting provider will probably make your life harder, not easier.
Ok, now, one thing I'm having trouble with is the security strategy that pulls categories in with groups.
It may be that I'm trying to make blog software serve in a roll of document-management and that I'm trying to turn a screw with a hammer.
Groups are great, let's say:
Visitors
Acquaintances
Friends
Good Friends
Best Friends
I want the same set of content-categories to show for each of these groups (even if there are only one or two people in there... ahem... ). Depending on what category, or set of categories they choose to view, I want them to see all the messages to which their group has been given access.
As a newbie, and un-initiated, I want to think this would require View and Comment attributes to be specifiable for each message. It would be fine with me if these attributes each held only a single security group. I don't mind making people members of multiple groups depending on where they are in the hierarchy (e.g. Friends are members of "Friends", "Acquaintances", and "Visitors" groups).
I've messed with the category hierarchy, but that either spreads a single content-category over multiple security branches of the tree, or it spreads a given security-group over a multiple content-categories of a tree. Either way (I think), the visitor will have to click into multiple combined security/content categories to see all the message in a given content-only category.
I suppose you could place a given message in multiple security-categories for the same content-category but this would seem even more tedious than just saying what group gets to read, and what group gets to comment. Also, since content-categories are listed on each entry, this would certainly clutter up the display. And what a mess if your entry fits into multiple content-categories.
Also, having a tree of security-over-content, or content-over-security would multiply the categories listing on the side of the blog listing-screen. In essence, no matter how you do it, you'd have a list of security- multiplied by content-category categories in the listing.
I notices that the category plug in lets you limit your blog to a single root-level branch (or a single ANY level branch), but I haven't been able to figure out how to make that work to resolve the issues alluded to above...
That's why I'm here, hat in hand, asking for your advice....
Thanks if you can help.
-djr
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: Security Advice needed, re: Group vs Category
Hi!
Hm, I'm not sure what your final goal is. But from what I read, you want to post blog entries that only specific users can read, depending on your group status.
Serendipity only has singular read-privileges for all blog postings of a categories. That means, if you create a category called "Security" and post things into that category, everyone with read-privileges to that Category can view ALL entries in it. It seems you would want another level of access control, so that people can only read specific posts inside the "Security" category.
If that's the case, you'll need to create exactly one category to match with exactly one usergroup.
More precise, let's say you have two usergroups, "Friends" and "Co-Workers". Now you create a blog posting inside the "Security" category, to which both usergroups have access. But your blog posting is called "PHP-Security", which is not relevant to your "Friends", so you want to hide that entry. That's your goal, right?
In that case, you would need to create a subcategory like "Security > Friends" and "Security > Co-Workers", and then you'd need to put the blog postings that are only for "friends" inside that category, and postings only for Co-Workers into the equally named category. Postings that both can read could go into "Security" as the root category.
Now your visitors can see all security-related postings when they go to "Security", becaues it merges every blog posting in a subcategory to the root category. Members of "Friends" will thus not see any "Co-Workers" postings, because their group has no read privileges to the "Security > CO-Workers" Category.
This does indeed mean a lot of cluttering, so you might want to think if really categories to your different usergroups intersect, or if you can't simply manage singular categories and put postings to multiple authors simply into multiple categories. Then each category of your blog would correspond to a user group, and they would simply pick the main blog level to read all postings to every category they are a member of.
Any sense left?
Regareds,
Garvin
Hm, I'm not sure what your final goal is. But from what I read, you want to post blog entries that only specific users can read, depending on your group status.
Serendipity only has singular read-privileges for all blog postings of a categories. That means, if you create a category called "Security" and post things into that category, everyone with read-privileges to that Category can view ALL entries in it. It seems you would want another level of access control, so that people can only read specific posts inside the "Security" category.
If that's the case, you'll need to create exactly one category to match with exactly one usergroup.
More precise, let's say you have two usergroups, "Friends" and "Co-Workers". Now you create a blog posting inside the "Security" category, to which both usergroups have access. But your blog posting is called "PHP-Security", which is not relevant to your "Friends", so you want to hide that entry. That's your goal, right?
In that case, you would need to create a subcategory like "Security > Friends" and "Security > Co-Workers", and then you'd need to put the blog postings that are only for "friends" inside that category, and postings only for Co-Workers into the equally named category. Postings that both can read could go into "Security" as the root category.
Now your visitors can see all security-related postings when they go to "Security", becaues it merges every blog posting in a subcategory to the root category. Members of "Friends" will thus not see any "Co-Workers" postings, because their group has no read privileges to the "Security > CO-Workers" Category.
This does indeed mean a lot of cluttering, so you might want to think if really categories to your different usergroups intersect, or if you can't simply manage singular categories and put postings to multiple authors simply into multiple categories. Then each category of your blog would correspond to a user group, and they would simply pick the main blog level to read all postings to every category they are a member of.
Any sense left?
Regareds,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Re: Security Advice needed, re: Group vs Category
Thanks Garvin.
I think I am trying to turn a screw with a hammer. You explained how clicking on a given super-class will show everything that is in the classes below them (I'll call it a "roll-up" feature like in project management software).
Using your example:
Groups:
(these are purely to determine access)
Subject-categories
People from each security group can read about different subjects. Within each subject, there are access capabilities.
To give each message particular access by any given group, admin would need to define two related categories under each subject-category, which are each exclusively accessible by their own respective security group. They do not have to have the same name as their respective security GROUP but they do in the example below:
Travels
. . . Co-Workers
. . . Friends
Programming Issues
. . . Co-Workers
. . . Friends
Gossip
. . . Co-Workers
. . . Friends
This is subject-category over security-category
In this case, a reader who is a member of Friends-only can click on any of the three top-level-categories ([cateogry]) and s/he will see any messages in the [category]->Friends category. S/he will not see message that are only posted to the [category]->Co-Workers category. Someone who is a member of both groups will see all the messages posted to both secy-categories under whatever (top level) subject-category they click on.
If someone who is a member of neither GROUP clicks on the subject (top level) category or any of its sub-categories, they will see no messages to list.
Even with the roll-up feature, this has the problem of showing the superfluous, underlying security-group related categories. There's really no way around it. That's the best I'm going to do with subject-categories that are overloaded with security (or vice verse).
If there were a way to hide, say, all but the top-most level of hierarchical categories, that might do the trick.... Or if the categories for security were a completely different (additional) variable... Or if security groups attached directly to messages (the most general solution)....
But, getting back full circle, to the top of the post, I'm trying to use a hammer to turn a screw. Damn it Jim! This is a blog, not a document server...
I wanted a blog and I have found a great one! If I decide I also want a document server I'll add one at that time.
Thanks again Garvin.
-djr
I think I am trying to turn a screw with a hammer. You explained how clicking on a given super-class will show everything that is in the classes below them (I'll call it a "roll-up" feature like in project management software).
Using your example:
Groups:
(these are purely to determine access)
- * Co-workers
* Friends
Subject-categories
People from each security group can read about different subjects. Within each subject, there are access capabilities.
- * Travels
* Programming Issues
* Gossip
To give each message particular access by any given group, admin would need to define two related categories under each subject-category, which are each exclusively accessible by their own respective security group. They do not have to have the same name as their respective security GROUP but they do in the example below:
Travels
. . . Co-Workers
. . . Friends
Programming Issues
. . . Co-Workers
. . . Friends
Gossip
. . . Co-Workers
. . . Friends
This is subject-category over security-category
In this case, a reader who is a member of Friends-only can click on any of the three top-level-categories ([cateogry]) and s/he will see any messages in the [category]->Friends category. S/he will not see message that are only posted to the [category]->Co-Workers category. Someone who is a member of both groups will see all the messages posted to both secy-categories under whatever (top level) subject-category they click on.
If someone who is a member of neither GROUP clicks on the subject (top level) category or any of its sub-categories, they will see no messages to list.
Even with the roll-up feature, this has the problem of showing the superfluous, underlying security-group related categories. There's really no way around it. That's the best I'm going to do with subject-categories that are overloaded with security (or vice verse).
If there were a way to hide, say, all but the top-most level of hierarchical categories, that might do the trick.... Or if the categories for security were a completely different (additional) variable... Or if security groups attached directly to messages (the most general solution)....
But, getting back full circle, to the top of the post, I'm trying to use a hammer to turn a screw. Damn it Jim! This is a blog, not a document server...
I wanted a blog and I have found a great one! If I decide I also want a document server I'll add one at that time.
Thanks again Garvin.
-djr
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: Security Advice needed, re: Group vs Category
Hi!
The serendipity category plugin is a templated one, you can change its output through the plugin_categories.tpl file.
Through that, you could hard-codedly exclude any category that is called "Co-Workers" or "Friends":
So then, you'd only have the parent category shown, and the users won't really see that in fact you have unfolding subcategories that dictate their overview.
HTH,
Garvin
The serendipity category plugin is a templated one, you can change its output through the plugin_categories.tpl file.
Through that, you could hard-codedly exclude any category that is called "Co-Workers" or "Friends":
Code: Select all
{if $plugin_category.name == 'Co-Workers' OR $plugin_category.name == 'Friends'}
... do nothing ...
{else}
... here the usual code ...
{/if}
HTH,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Re: Security Advice needed, re: Group vs Category
Garvin,
That is very cool!
Question: Can I generalize this? That is: Is there a variable that tells me what level a given category is in?
example:
(note: I don't know PHP so I'd appreciate it if you could point out syntactical/other coding errors.)
If there is a depth-indicator in the category structure (there must be, right?), we could even test against some pre-specified depth parameter. (i.e., $plugin_category.depth <= $plugin_category.parm_display_depth).
Thanks again Garvin.
-s
That is very cool!
Question: Can I generalize this? That is: Is there a variable that tells me what level a given category is in?
example:
Code: Select all
{if $plugin_category.depth == 0} /* if it is at the root */
... the usual code ...
{else}
... do nothing ...
{/if}
If there is a depth-indicator in the category structure (there must be, right?), we could even test against some pre-specified depth parameter. (i.e., $plugin_category.depth <= $plugin_category.parm_display_depth).
Thanks again Garvin.
-s
Last edited by Stosh on Thu Jun 17, 2010 11:19 pm, edited 1 time in total.
-
- Regular
- Posts: 3652
- Joined: Mon Feb 13, 2006 2:40 am
- Location: Chicago, IL, USA
- Contact:
Re: Security Advice needed, re: Group vs Category
John - I believe what you are looking for is {$plugin_category.catdepth}. There would not be a parameter {$plugin_category.parm_display_depth} because it does not exist within the category plugin. You could, however, have a template-wide variable that you could then modify via template options... but I don't really see any advantage to that over hard coding the something like:
And so there is no misunderstanding, this is only going to affect the list of categories shown in the sidebar... this has nothing to do with accessing particular entries.
Code: Select all
{if $plugin_category.parm_display_depth >= 2}
...do something...
{/if}
=Don=
Re: Security Advice needed, re: Group vs Category
Don,
OOPS! P.S. Question: Is the depth variable you mentioned earlier ... (is the root 1 or 0)?
Thanks. That should do it (going to try it now).
I'm using "competition" (originally had a coffee cup in the banner). I don't see a plugin_categories.tpl in there so (?) that means I modify the one in the default directory (i'll try it)...
. . . . . . .
Regarding:
Thanks again. I'll let you know how it goes after I've had some time to evaluate it.
-John
P.S. What is the best-practice attribution policy if making visual changes to these themes? ... new topic / next time
OOPS! P.S. Question: Is the depth variable you mentioned earlier ... (is the root 1 or 0)?
Thanks. That should do it (going to try it now).
I'm using "competition" (originally had a coffee cup in the banner). I don't see a plugin_categories.tpl in there so (?) that means I modify the one in the default directory (i'll try it)...
. . . . . . .
Regarding:
I understand that this is a kludge (a workaround at best). It is only going to hide my underlying security infrastructure from the display on the right side of the screen. It is likely to show up in other contexts. Certainly it will show up in the categories list when entering a new entry (as you would want it to in that context).Don Chambers wrote: And so there is no misunderstanding, this is only going to affect the list of categories shown in the sidebar... this has nothing to do with accessing particular entries.
Thanks again. I'll let you know how it goes after I've had some time to evaluate it.
-John
P.S. What is the best-practice attribution policy if making visual changes to these themes? ... new topic / next time
-
- Regular
- Posts: 3652
- Joined: Mon Feb 13, 2006 2:40 am
- Location: Chicago, IL, USA
- Contact:
Re: Security Advice needed, re: Group vs Category
Yes. It is 1 or 0. I think it is 0, but that should be easy enough for you to discover.Stosh wrote:Question: Is the depth variable you mentioned earlier ... (is the root 1 or 0)?
COPY the one from the default folder to your template folder, and modify that COPY.Stosh wrote:I'm using "competition" (originally had a coffee cup in the banner). I don't see a plugin_categories.tpl in there so (?) that means I modify the one in the default directory (i'll try it)...
Whatever has been requested by the author, if anything. If the template says "template by John Doe", leave that in tact then add something like "modified by Stosh".Stosh wrote:P.S. What is the best-practice attribution policy if making visual changes to these themes?
=Don=
Re: Security Advice needed, re: Group vs Category
Hi again.
Well, that didn't go anywhere.
I've looked up and down the serendipity/templates directory. I downloaded the entire templates directory and recursively dir'd for plugins_categories.tpl. Then renamed them all at the server with a '.ORG' tacked on. The blog still runs, and still displays the categories list...
I'm using "coffee cup", which seems to be in the "competition" directory. Where might I find the plugin_categories.tpl template for this?
Help!
-John
Well, that didn't go anywhere.
I've looked up and down the serendipity/templates directory. I downloaded the entire templates directory and recursively dir'd for plugins_categories.tpl. Then renamed them all at the server with a '.ORG' tacked on. The blog still runs, and still displays the categories list...
I'm using "coffee cup", which seems to be in the "competition" directory. Where might I find the plugin_categories.tpl template for this?
Help!
-John
-
- Regular
- Posts: 3652
- Joined: Mon Feb 13, 2006 2:40 am
- Location: Chicago, IL, USA
- Contact:
Re: Security Advice needed, re: Group vs Category
John,
the correct filename is plugin_categories.tpl (singular on "plugin", NOT pluginS).
Contents of that file are:
the correct filename is plugin_categories.tpl (singular on "plugin", NOT pluginS).
Contents of that file are:
Code: Select all
{if $is_form}
<form id="serendipity_category_form" action="{$form_url}" method="post">
<div id="serendipity_category_form_content">
{/if}
<ul id="serendipity_categories_list" style="list-style: none; margin: 0px; padding: 0px">
{foreach from=$categories item="plugin_category"}
<li class="category_depth{$plugin_category.catdepth} category_{$plugin_category.categoryid}" style="display: block;">
{if $is_form}
<input style="width: 15px" type="checkbox" name="serendipity[multiCat][]" value="{$plugin_category.categoryid}" />
{/if}
{if !empty($category_image)}
<a class="serendipity_xml_icon" href="{$plugin_category.feedCategoryURL}"><img src="{$category_image}" alt="XML" style="border: 0px" /></a>
{/if}
<a href="{$plugin_category.categoryURL}" title="{$plugin_category.category_description|escape}" style="padding-left: {$plugin_category.paddingPx}px">{$plugin_category.category_name|escape}</a>
</li>
{/foreach}
</ul>
{if $is_form}
<div class="category_submit"><input type="submit" name="serendipity[isMultiCat]" value="{$CONST.GO}" /></div>
{/if}
<div class="category_link_all"><a href="{$form_url}?frontpage" title="{$CONST.ALL_CATEGORIES}">{$CONST.ALL_CATEGORIES}</a></div>
{if $is_form}
</div>
</form>
{/if}
=Don=
Re: Security Advice needed, re: Group vs Category
Don,
Oops. Sorry. the extra 'S' on the end of one of those "plugin" names was a typo HERE, not in my recursive listing.
I recursively listed all the plugin_categories.tpl files in the /serendipity/templates directory, and then went online and renamed them (put '.ORG' on the end of each name). These were in the default/, and default-php/ directories. The one I had modified was also in the competition/ directory where I had copied it earlier.
Even with these files renamed, the blog continues to run and continues to show the full list of categories.
Before this, I had produced a modified copy of the plugin_categories.tpl file. For now I'm just including a bit of "debug" text so that I can see the changes clearly. I tried putting it up but wasn't able to get the blog to use it. This led to the drastic step of simply renaming all the plugin_categories.tpl files in the /templates directory.
The problem is, I can't find from where -in the directory structure- the blog is currently getting this template, so that I can get my modified tpl file to show in its place.
-John
Oops. Sorry. the extra 'S' on the end of one of those "plugin" names was a typo HERE, not in my recursive listing.
I recursively listed all the plugin_categories.tpl files in the /serendipity/templates directory, and then went online and renamed them (put '.ORG' on the end of each name). These were in the default/, and default-php/ directories. The one I had modified was also in the competition/ directory where I had copied it earlier.
Even with these files renamed, the blog continues to run and continues to show the full list of categories.
Before this, I had produced a modified copy of the plugin_categories.tpl file. For now I'm just including a bit of "debug" text so that I can see the changes clearly. I tried putting it up but wasn't able to get the blog to use it. This led to the drastic step of simply renaming all the plugin_categories.tpl files in the /templates directory.
The problem is, I can't find from where -in the directory structure- the blog is currently getting this template, so that I can get my modified tpl file to show in its place.
-John
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: Security Advice needed, re: Group vs Category
Hi!
Did you maybe do anything to the templates_c/ directory and/or the files in it? To me it sounds as if smarty doesn't compile your template there; this could be due to missing write privileges, but also maybe if when you update your files, your client does not update the "last modified" timestamp of a file, which is required for smarty to detect if it needs to recompile templates..
Regards,
Garvin
Did you maybe do anything to the templates_c/ directory and/or the files in it? To me it sounds as if smarty doesn't compile your template there; this could be due to missing write privileges, but also maybe if when you update your files, your client does not update the "last modified" timestamp of a file, which is required for smarty to detect if it needs to recompile templates..
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Re: Security Advice needed, re: Group vs Category
Garvin,
I'm not sure. I'll be a data-collector:
-John
I'm not sure. I'll be a data-collector:
- The templates_c directory is chmod'd 777.
- There are php files in there for competition AND for bulletproof.
- These don't sort well because they have extra codes, but a couple of visual scans do not show any files in there ending in "plugin_categories.tpl.php."
- The files I upload get "present" modification dates.
-John
More Info - Re: Security Advice needed, re: Group vs Categor
Hi,
A little more information.
I've tried uninstalling and re-installing the categories plugin. The templates_c/ directory is not updated. The last-modification date is 11/07/09 and remains there after un-installing and re-installing the categories plugin.
All indications during this process remained "green".
After uninstalling and re-installing the categories plugin, the categories appeared at the bottom of the right-hand column in the front-end screen.
Again, through all of this, the mod-date on templates_c/ did not change. The only mod dates I currently see changed (today's date) are on, -and in-, the templates/ directory.
-John
A little more information.
I've tried uninstalling and re-installing the categories plugin. The templates_c/ directory is not updated. The last-modification date is 11/07/09 and remains there after un-installing and re-installing the categories plugin.
All indications during this process remained "green".
After uninstalling and re-installing the categories plugin, the categories appeared at the bottom of the right-hand column in the front-end screen.
Again, through all of this, the mod-date on templates_c/ did not change. The only mod dates I currently see changed (today's date) are on, -and in-, the templates/ directory.
-John
-
- Regular
- Posts: 3652
- Joined: Mon Feb 13, 2006 2:40 am
- Location: Chicago, IL, USA
- Contact:
Re: Security Advice needed, re: Group vs Category
Did you activate the smarty option in the category plugin? It is the last option for the plugin labeled "Enable Smarty-Templates? "
=Don=