Roles authority: Author and Editor

[RysiuM]

Hi everyone. (It's my first post here, so I figured out, I will start with "Hi" )

I started to play with Joomla about 3 weeks ago as I found it the best candidate for the website for my club. This was the easiest to configure and customize to get the look I wanted. The website will have dual purpose: Present a public image of our club and give private info for our members. The main reason for picking up CMS is that we will be able to let our "key members" (contributors - who would write something) to bring materials for this new site. Role management in Joomla (even with current 1.5.8 simple security) works very well for me with two exceptions, which I think they may be fixed minding the publishing "lifecycle".

I assumed the following interpretation of roles:
Author: Contributes with drafting articles. He should be able to enter and correct his draft if needed.
Editor: Does first editing of all drafts written by all Authors. It would be great to have additional status between "draft" and "published". With additional status Editor could move article from the "Draft" phase (available for Author) to "Edited" phase available to Editor and Publisher only. But I understand it may be much bigger change so can live with two statuses now.
Publisher: Does final approval and authorize the article to be published on the website.


From all my tests and research in Joomla I found that the following roles have following authorities in Joomla 1.5.8/ I have prepared simple table that shows what kind of authority particular groups have to articles at article lifecycle..

Code: Select all

            Add    SeeU    SeeP     EditU     EditP    Publ
Registered  No     No      ALL      No        No       No
Author      ALL    No      ALL      No        Owner    No
Editor      ALL    ALL     ALL      ALL       ALL      No
Publisher   ALL    ALL     ALL      ALL       ALL      ALL

Explanation of codes used above:
Actions:
Add = Write new article
SeeU = See unpublished article
SeeP = See published article
EditU = Edit unpublished article
EditP = Edit published article
Publ = Edit and change article status Published/Unpublished

Authorities:
No = Disallowed
Owner = Allowed only for articles with this user as an author
All = Allowed for articles written by all users

Now I see a little flaw in this logic. There are four issues:
1. Problem: Author can not edit his article, which he just wrote because he can not see it as the article is in unpublished status. Resolution: Author should be able to see his own unpublished articles.

2. Problem: The same as above. Resolution: Author should be able to edit his own unpublished articles.

3. Problem: Author can edit hos own articles after they have been approved (published). It means in example that Author can re-insert "bad" content to the article, that was removed (censored) by publisher. Resolution: Author should not be able to edit any articles that have been published.

4. Problem: Editor can not publish articles, but he can edit already published content. The same example as described above that editor can re-insert content that was removed by publisher. Resolution: Editor should not be able to edit any articles that have been published.

So here is what I think it should be:

Code: Select all

            Add    SeeU    SeeP     EditU     EditP    Publ
Registered  No     No      ALL      No        No       No
Author      ALL    Owner   ALL      Owner     No       No
Editor      ALL    ALL     ALL      ALL       No       No
Publisher   ALL    ALL     ALL      ALL       ALL      ALL

Summary of changes needed:

Code: Select all

Change      Add    SeeU    SeeP     EditU     EditP    Publ
Author             No->Owner        No->Owner Owner->No
Editor                                        ALL->No

Now here is my question:
I do programming for living but unfortunately not in PHP. And it would take me forever to to figure out which piece of code is responsible for these checking. However I am sure these checking are done as they work for some data combination doing proper validation. Can someone point me into these pieces or maybe find quick and easy fix that will to the job. I'm looking for the code that:

1. Checks based on User role and article status (published/unpublished) to decide if article should be shown on the screen. To fix the problem 1, article author checking needs to be added there.

2. Checks based on User role and article author to decide if article Edit Icon should be shown on the screen. To fix the problem 2 and 3 and 4, article status (published/unpublished) checking needs to be added there.

3. Checks based on User role if access to the editor is available. If the editor is used to edit existing article, the checking for user role, article author and article status must be done. This will also fixe the problem reported in Security forum (add the &Form... to the link)

I hope that Joomla 1.5.xx is written in such structured way, that there are no to many places to change.

[RysiuM]

I played a little and I think I have part 2 of the fix (this was the easies one (for me):

2. Checks based on User role and article author to decide if article Edit Icon should be shown on the screen. To fix the problem 2 and 3 and 4, article status (published/unpublished) checking needs to be added there.

Only one place to "hack the code":
file: components\com_content\helpers\icon.php
line (starting from 103): I commented out the next three lines and replaced it with a little more complex logic (sorry for the quality of the code, I really don't know PHP ):

Code: Select all

/*  Change by Rysium - Authorities to show edit icon
    if (!$access->canEdit && !($access->canEditOwn && $article->created_by == $user->get('id'))) {
			return;
		}
*/
    // Published only Publisher:
  	if (($article->state == 1) && !$access->canPublish) {
			return;
		}

    //    Edit all unpublished only Editor:
  	if (($article->state == 0) && ($article->created_by != $user->get('id')) && !$access->canEdit) {
			return;
		}

    //    Edit own unpublished by Author:
  	if (($article->state == 0) && ($article->created_by == $user->get('id')) && !$access->canEditOwn) {
			return;
		}

I tested it and works OK - can someone who knows Joomla inside-out can confirm this is the right place? And if so, I'm still looking for places to hack change 1 and 3. I really need it.

[RysiuM]

I guess I have to write it myself - not much help so far.

I just tested the first piece of code that prevents author from viewing not published articles, that was available by typing a link to the article straight in the web browser. Author was always able to access no published articles. I he could even see deleted articles.

Anyway the fix I tested so far (and it's working):

In components\com_content\views\article\view.html.php I replaced line 77:

Code: Select all

if ($article->access <= $aid) {

with more complex validation condition:

Code: Select all

if ($article->access <= $aid && ($article->state == 1 || ($article->state == 0 && $access->canEdit) || ($article->state == 0 && $access->canEditOwn && $article->created_by == $user->get('id')) )) {

This will make article visible with for either condition:
- Article must be published
- or User must be Editor or more to unpublished article
- or Author accessing it's own unpublished articles

Few more holes to plug and I will be happy camper.
========================================
Edit: I think I fixed editing issue too. Details in the post http://forum.joomla.org/viewtopic.php?p ... 6#p1543016.

The last thing that I need to change is the selection logic which decides if article is going to be presented on the screen. I'm not sure which piece of code is doing that, but I'm afraid that there are many pieces in many places. I've seen some code with fancy SQL selecting articles for different views (categories, section, search, and others). It will be quite fun to complicate these SQL statements even more

[RysiuM]

OK, I see only three possibilities here:
1. Nobody is interested on the subject
2. I asked wrong questions
3. I asked in the wrong forum.

Anyway, if 1 is not true than I'm happy to inform that digging through the Joomla code I modified all places responsible for showing the content. Quite fancy SQL is out there . Anyway after all these hacks (I have documented them very well for myself) system behaves exactly like I drew in the first post. Off course all this knowledge and experience (it's been fun) I can pass if anyone is interested. Now it's to late to write detail post here especially when I'm not sure if anyone cares anyway.

[iraveesh]

Hello RysiuM,

I am more than glad that you've spent days working on this. I was looking for the exact same thing and am really happy to have found your work.

Is it possible to mail me or publish the complete documentation for us? It'll be of good help to many of us..

[mces0421]

For me, the editor has the most power than the author. He is the decision maker, sometimes he delete the work of the author.Good day

[RysiuM]

For me, the editor has the most power than the author.

Absolutely agree. The hierarchy of users in Joomla is designed sufficient enough for the publishing lifecycle (Author->Editor->Publisher) however the original list of tasks available for these profiles did not correspond to that. In my "hack" I only fixed authorities within available tasks and statuses. The second step (which I did not dare to do), should be adding two article statuses between draft and published. There are three levels of users, but only two statuses so the conflict exists between them because they can have access to the same article at the same time messing with each other work. What it should be is as soon as Editor or Publisher starts his work Author would loose his access to it. Joomla 1.5.8 has 4 statuses (field State in Content file):

0 = Draft, 1 = Published, -1 = Archived, -2 = Deleted

Ideally there should be at least 3 statuses available for editing:

Draft - workplace for Author
Edit - workplace for Editor
Proof - workplace for Publisher

And 3 statuses not available for editing:
Published, Archived, Deleted

Authority setting for front-end special users should be:
Author :
View: Own Drafts, All Published
Edit or Delete: Own Drafts
Changing status: Own Draft -> Edit

Editor :
View: All drafts, Own Edit, All Published
Edit or Delete: Own Edit
Changing status: Own Edit -> Draft, Own Edit ->Proof

Publisher :
View: All drafts, All Edit, All Proof, All Published
Edit or Delete: All Proof
Changing status: Proof -> Draft or Edit (and be able to replace editor) or Published,
Published -> Draft or Edit (and be able to replace editor) or Proof

Any other "not standard" actions outside of the lifecycle should be available only to back-end users.

I'm not sure how the Archive works yet and who can do what.

However, as I wrote before, adding new statuses requires quite extensive change in the system, and that I would leave to guys more knowledgeable than I am - Joomla developers. For my use I can live with existing statuses as I will have very limited number of Authors and probably one editor and one publisher. In that environment they can collaborate face-to-face and not step into each others work.

As for the change I made in the source code I am attaching all modified PHP files - maybe someone will find some bugs, I missed. Here is my "documentation" I made for myself, because in few days I will forget what I did

Code: Select all

CHANGES IN JOOMLA SOURCE CODE
============================
Example of marking the code for changes:
	//  Fix RMA<nnn>:  <Description of the fix>
	//	*** <tag> DELETED LINES ***
	//	< deleted lines of code>
	//  ... 
	//	*** <tag> End of DELETED LINES ***

	//	*** <tag> INSERTED LINES ***
	  	<inserted lines of code>
	//	*** <tag> End of INSERTED LINES ***

**********************************************************************************

Fix: 	RMA001 - Change authorities required to show Edit icon.
TAG: 	RMA001
Description: 
	Edit icon on Published articles visible only to Publisher
	Edit icon on all Unpublished articles visible only to Editor
	Edit icon on Author's own Unpublished articles visible only to Author
Objects: 
.\components\com_content\helpers\icon.php

**********************************************************************************

Fix: 	RMA002 - Remove Uncategorized from possible selections on the front end
TAG: 	RMA002
Description: 
	"Uncategorized" is removed from valid options, when edit articles on 
	the front but still can be selected from the back end.  This way 
	Author will have access to all his unpublished articles via menu option
	to show all articles from Sections.
Objects: 
.\components\com_content\views\article\view.html.php

**********************************************************************************

Fix: 	RMA003 - Fix problem with showing edit form for published articles without
	checking authority to the article.
TAG: 	RMA003
Description: 
	Form for edit article could be shown by typing the link to the article 
	with "&layout=form" at the end.  So author and Editor could edit published 
	articles and anyone could see unpublished articles.
	New complex checking as follows:
	- Publisher can view and edit any article 
	- Editor can view any article but can edit only unpublished articles
	- Author can view only published article and his own unpublished articles
	  but he can edit only his unpublished articles (can not edit his articles 
	  after they are published).
Objects: 
.\components\com_content\views\article\view.html.php

**********************************************************************************

Fix: 	RMA004 - Show articles according to new authority rules
TAG: 	RMA004
Description: 
	New selection that allows Author to see unpublished articles that he wrote.
	This is done by modified SQL in sources listed below to include unpublished
	articles (state=0) to article owner.
Objects: 
.\components\com_content\models\article.php
.\components\com_content\models\frontpage.php
.\components\com_content\models\section.php
.\components\com_content\models\category.php

Source code attached...

[pmcnamara]

You sir are both a gentleman and a scholar !

This should be immediately stickied and made part of the Joomla core !

This has been a long known problem and one I have fought forever.

I am sure there are hundreds if not thousands of Joomla developers who will use and implement this hack.

Sometimes it takes a few days or even weeks for a good fix like yours to populate through to the power users and for its use to be spread.

That being said.. the Joomla Pros will need to test and prod to confirm the work, due diligence by all of course.. but for me I say this is the most promising thing I've seen offered in a long time.

[therealvibe]

I have been testing Joomla 1.5.9 and wanted to find out what it offers esp ACL.
Surprisinly the first thing I tested didn't work.

I create a user that falls in Editor group. When this user logs in, he can edit an article and save it.
Once the article is saved it is automatically reflected on the main page.
I thought editors cannot publish pages... is this a bug? Can someone help pls.

D

[RysiuM]

When you logged in as editor you can see all articles that are not published (so you can edit them). Do you say, that guest or Author can see this not published article?

[Stoney2you]

RysiuM;

THIS IS AWESOME! I have been looking for this very thing!

I applied the hacks to a site that I am developing for a new client, and I'm testing it. IT WORKS!
Thanks for providing the files, BTW. I haven't found any problems so far, but I will be sure to let you know if I do.

Thank you, thank you! Now all I need is a way to list the Author's articles so they won't have to go hunting for them... Probably I'll install Community Builder and turn on the Article List feature...

The second step (which I did not dare to do), should be adding two article statuses between draft and published. There are three levels of users, but only two statuses so the conflict exists between them because they can have access to the same article at the same time messing with each other work.

I agree. I was shocked once when I realized that a front-end Admin user was not locked out of an article that I was in the middle of editing! I thought it was a glitch. It would be nice if the developers work on this "second step".

But for now, GREAT WORK!

Sharon

[k_czka]

thx a lot this is great but after updating to 1.5.9 authors can't see unpublished articles

pls help

[RysiuM]

thx a lot this is great but after updating to 1.5.9 authors can't see unpublished articles

I did not install 1.5.9 yet. Do you mean, that Author can't see even his own unpublished articles? Hmm...

I'm going to start new site and it will be good idea to upgrade my testing to the latest greatest, and start from here. Right now I'm testing 1.5.8 and I'm quite happy, except the fact, that (what I read in Security forum) it is not resistant to some nasty bug (Directory Traversal) that has been fixed in 1.5.9. I will do it soon, and then I will see if there is anything in the code to change for my four hacks.

[Stoney2you]

RysiuM,

Just a quick note. The site I refer to above is a new 1.5.9 install and they work perfectly for me.


k_czka: Did you re-apply the hacks after upgrading?

-Sharon.

[doc_flake]

I applied the hack to my 1.5.9 test-install and it's running fine. Thank you so much, RysiuM!
Just one important fact to observe: After unzipping the archive you provided, the files and folders are world-writable!!! Remember everybody to chmod the files to 644 (folders to 755).

[RysiuM]

Just one important fact to observe: After unzipping the archive you provided, the files and folders are world-writable!!! Remember everybody to chmod the files to 644 (folders to 755).

Being in "software business" for so many years I forgot to mention the fact, that was quite obvious to me . If it is a "hack" or "fix" do not take it for granted. DO NOT COPY my source replacing the original ones. I provided all sources for reference or source merge only. If you have different version or modified version of Joomla code, the result may be unpredictable.

About 1.5.9. I just upgraded my test site to 1.5.9 Then I run comparison, what had been affected - what are the conflicts between objects in the upgrade package and sources I modified. Only one source is in conflict:

<Joomla root>\components\com_content\models\category.php

I have applied the fix to the original 1.5.9 code for your convenience (see attachment). I did not see any conflicts with the functionality change, so it should be OK.

Goo luck.

[k_czka]

thx a lot evreything is working now
Rysiu jestes the best

[RysiuM]

Rysiu jestes the best

Wow - thanks. I'm happy I could help.

[bkwdesign]

RysiuM - I'm an old Mambo tinkerer jumping back into Joomla for my latest employer. This feature has been buggy forever, it seems to me. I'm implementing your code changes immediately.

Thanks for taking the time to lay everything out so neatly and your straightforward matrix.

I'm wondering now how you can get the attention of the core Joomla team and get this integrated into the svn repository.

[therealvibe]

Hi Rysiu,

When I mean is that the editor can edit (already published articles) and republish them without the approval of the publisher of a higher user as the administrator. What I want is the the publisher or the administrator has to approve the changes that the editor makes to published articles before republishing. But to my surprise this will not happen. I read the user roles in the joomla manual and suppose users in the editor group can not publish.

Every change the editor makes to published articles will be republished anyways to the front page.
Is this a file permission or a joomla bug? let me know.

Dwayne

[bkwdesign]

.. What I mean is that the editor can edit (already published articles) and republish them without the approval or the publisher of a higher user such as the administrator. What I want is the the publisher or the administrator has to approve the changes that the editor makes to published articles before republishing. But to my surprise this will not happen. I read the user roles in the joomla manual and suppose users in the editor group can not publish.

Every change the editor makes to published articles will be republished anyways to the front page.
Is this a file permission or a joomla bug? let me know.

Hi there, 'therealvibe', To my knowledge, this is a limitation of Joomla.

It only has one version of an any given article in storage. It does not store multiple article states. For example, there is no history of an article maintained. Likewise, there is also no persistence of the 'currently published' article versus the 'recently-edited-but-not-yet-approved' article. So, I don't think Joomla's framework is prepared to handle the scenario you've described.

[therealvibe]

Hi bkwdesign,

I read this in joomla manual about the user roles. What is the purpose of the user roles then? if editor author and publisher all can publish?

d

[bkwdesign]

Well, it *has* been a while since I've torn into the innards of Joomla. I certainly could be wrong. But, I think the roles mainly apply to allowing users to contribute new content. Someone may author something (i.e. create a new submission), but, that doesn't make it visible to the public until the publisher has reviewed it and takes further action upon the article.

[spoon123]

Hi,
I installed the fix, but I have two problems:

1) Changes an author or an editor makes are not going to be saved.

For ex.: If an author writes a new article and saves it and later he wants to change this existing unpublished article, the changes are not going to appear for him and the editor, after he clicked the save button. Same with an editor who does changes on an unpublished article of an author. Only the publisher sees the changes done by author and editor.

2) Changes a publisher does on unpublished articles only going to appear to the publisher.

If a publisher changes an unpublished article and saves the changes by him self, this changes are shown, but only to him. This changes made by a publisher does not appear to the author or the editor. Author end editor still see the first version of the article.

Does anybody have solution or explanation for this? A solution that author and editor would be able to view the changes on unpublished articles they have done?

Yours,
Soon123

[doc_flake]

1) Changes an author or an editor makes are not going to be saved.

For ex.: If an author writes a new article and saves it and later he wants to change this existing unpublished article, the changes are not going to appear for him and the editor, after he clicked the save button. Same with an editor who does changes on an unpublished article of an author. Only the publisher sees the changes done by author and editor.

2) Changes a publisher does on unpublished articles only going to appear to the publisher.

If a publisher changes an unpublished article and saves the changes by him self, this changes are shown, but only to him. This changes made by a publisher does not appear to the author or the editor. Author end editor still see the first version of the article.

I cannot confirm these problems. All changes are saved and available to everybody who's entitled to see the article.
Spoon, I would suspect caching problems with your setup. Did you reload the page? Do you have caching enabled on your site?

[therealvibe]

hmm ok.. well let me put it this way. It is possible with joomla. To make a user for a client.. and let clients login with this user and make changes without publishing it. Them I login with the administrator. approve their changes.. and them publish it myself? if this is possible with the native joomla let me know how to do it.
Maybe I am doing something wrong creating users under the editor group.

Regards,

Dwayne

[spoon123]

1) Changes an author or an editor makes are not going to be saved.

For ex.: If an author writes a new article and saves it and later he wants to change this existing unpublished article, the changes are not going to appear for him and the editor, after he clicked the save button. Same with an editor who does changes on an unpublished article of an author. Only the publisher sees the changes done by author and editor.

2) Changes a publisher does on unpublished articles only going to appear to the publisher.

If a publisher changes an unpublished article and saves the changes by him self, this changes are shown, but only to him. This changes made by a publisher does not appear to the author or the editor. Author end editor still see the first version of the article.

I cannot confirm these problems. All changes are saved and available to everybody who's entitled to see the article.
Spoon, I would suspect caching problems with your setup. Did you reload the page? Do you have caching enabled on your site?

Hi,
I turned off the cache of my browser (Firefox). The cache in joomla itself is switched off too. There are still these problems mentioned above!

It was also my first idea that there is something wrong with the cache, but for the "publisher" everything works fine. He can see all changes on existing unpublished articles, only author and editor are not able to see there own and other changes on existing and unpublished articles.

I followed the installation of the bug-fix, replacing the files mentioned in the "CHANGES IN JOOMLA SOURCE CODE" file ) RMA001, RMA002, RMA003, RMA004

Did I forget maybe something? What can be the problem?

Thanks,
SPOON

PS: I am using Joomla version 1.5.8

[pmcnamara]

Did you try a different browser ?

I find that often, even though I clean the cache.. these types of changes don't always show themselves right away in the same browser, but will in another.

[spoon123]

Did you try a different browser ?

I find that often, even though I clean the cache.. these types of changes don't always show themselves right away in the same browser, but will in another.

I downloaded and installed latest version of Opera and the problem is still there, normally I use Firefox. I really believe it is not a cache problem. What else can it be?

I don't understand this: It seems that it works for all of you, so I can assume the bug-fix in general must work, but I don't understand why it is not working for me. . . . oh, the mighty internet God moves in mysterious ways.. . . .

[RysiuM]

Ladies and Gentlemen

Please accept my apology for one bug I found today in my fix.
The faulty object is icon.php in folder .\components\com_content\helpers.

The problem I found is that Editor can not see the "edit" icon next to his own unpublished article. He can only edit article written by other people. To fix the issue the following line (line 127):

Code: Select all

if (($article->state == 0) && ($article->created_by == $user->get('id')) && !$access->canEditOwn) {

has to be replaced with following line:

Code: Select all

if (($article->state == 0) && ($article->created_by == $user->get('id')) && !$access->canEditOwn && !$access->canEdit) {

It looks like the value $access->canEditOwn is <false> for Editor.
It seems that for Editor only variable $access->canEdit is <true> . So this is why additional checking had to be included. I tested it and it looks that fixed the problem.

For your convenience I'm attaching the updated set of all modified objects in one zip for Joomla 1.5.9.