I started to play with Joomla about 3 weeks ago as I found it the best candidate for the website for my club. This was the easiest to configure and customize to get the look I wanted. The website will have dual purpose: Present a public image of our club and give private info for our members. The main reason for picking up CMS is that we will be able to let our "key members" (contributors - who would write something) to bring materials for this new site. Role management in Joomla (even with current 1.5.8 simple security) works very well for me with two exceptions, which I think they may be fixed minding the publishing "lifecycle".
I assumed the following interpretation of roles:
Author: Contributes with drafting articles. He should be able to enter and correct his draft if needed.
Editor: Does first editing of all drafts written by all Authors. It would be great to have additional status between "draft" and "published". With additional status Editor could move article from the "Draft" phase (available for Author) to "Edited" phase available to Editor and Publisher only. But I understand it may be much bigger change so can live with two statuses now.
Publisher: Does final approval and authorize the article to be published on the website.
From all my tests and research in Joomla I found that the following roles have following authorities in Joomla 1.5.8/ I have prepared simple table that shows what kind of authority particular groups have to articles at article lifecycle..
Code: Select all
Add SeeU SeeP EditU EditP Publ
Registered No No ALL No No No
Author ALL No ALL No Owner No
Editor ALL ALL ALL ALL ALL No
Publisher ALL ALL ALL ALL ALL ALL
Actions:
Add = Write new article
SeeU = See unpublished article
SeeP = See published article
EditU = Edit unpublished article
EditP = Edit published article
Publ = Edit and change article status Published/Unpublished
Authorities:
No = Disallowed
Owner = Allowed only for articles with this user as an author
All = Allowed for articles written by all users
Now I see a little flaw in this logic. There are four issues:
1. Problem: Author can not edit his article, which he just wrote because he can not see it as the article is in unpublished status. Resolution: Author should be able to see his own unpublished articles.
2. Problem: The same as above. Resolution: Author should be able to edit his own unpublished articles.
3. Problem: Author can edit hos own articles after they have been approved (published). It means in example that Author can re-insert "bad" content to the article, that was removed (censored) by publisher. Resolution: Author should not be able to edit any articles that have been published.
4. Problem: Editor can not publish articles, but he can edit already published content. The same example as described above that editor can re-insert content that was removed by publisher. Resolution: Editor should not be able to edit any articles that have been published.
So here is what I think it should be:
Code: Select all
Add SeeU SeeP EditU EditP Publ
Registered No No ALL No No No
Author ALL Owner ALL Owner No No
Editor ALL ALL ALL ALL No No
Publisher ALL ALL ALL ALL ALL ALL
Code: Select all
Change Add SeeU SeeP EditU EditP Publ
Author No->Owner No->Owner Owner->No
Editor ALL->No
I do programming for living but unfortunately not in PHP. And it would take me forever to to figure out which piece of code is responsible for these checking. However I am sure these checking are done as they work for some data combination doing proper validation. Can someone point me into these pieces or maybe find quick and easy fix that will to the job. I'm looking for the code that:
1. Checks based on User role and article status (published/unpublished) to decide if article should be shown on the screen. To fix the problem 1, article author checking needs to be added there.
2. Checks based on User role and article author to decide if article Edit Icon should be shown on the screen. To fix the problem 2 and 3 and 4, article status (published/unpublished) checking needs to be added there.
3. Checks based on User role if access to the editor is available. If the editor is used to edit existing article, the checking for user role, article author and article status must be done. This will also fixe the problem reported in Security forum (add the &Form... to the link)
I hope that Joomla 1.5.xx is written in such structured way, that there are no to many places to change.