[Mayan EDMS: 2261] Help with Permissions

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

[Mayan EDMS: 2261] Help with Permissions

Ray Hendricks
I have two document types "Default" and "Personal"

I have two roles "Default Owner" and "Personal Owner"

I have two Groups "Work" and "Personal"

Jim is a member of the group "Work" and Kelly is a member of the group "Personal"

The Group "Personal" is a member of the Role "Personal Owner" and the Group "Work" is a member of  the the Role "Default Owner"

This works in that Jim can't view "Personal" documents but Jim also can't search pages (he can search documents though).  Is this expected behavior?



--

---
You received this message because you are subscribed to the Google Groups "Mayan EDMS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

[Mayan EDMS: 2277] Re: Help with Permissions

LeVon Smoker
I am having the same problem. Did you find a solution to this?

On Tuesday, January 30, 2018 at 3:07:20 PM UTC-5, Ray Hendricks wrote:
I have two document types "Default" and "Personal"

I have two roles "Default Owner" and "Personal Owner"

I have two Groups "Work" and "Personal"

Jim is a member of the group "Work" and Kelly is a member of the group "Personal"

The Group "Personal" is a member of the Role "Personal Owner" and the Group "Work" is a member of  the the Role "Default Owner"

This works in that Jim can't view "Personal" documents but Jim also can't search pages (he can search documents though).  Is this expected behavior?



--

---
You received this message because you are subscribed to the Google Groups "Mayan EDMS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

[Mayan EDMS: 2278] Re: Help with Permissions

Ray Hendricks
No, I didn't. I'm currently interviewing developers to work on Mayan-EDMS for us.

--

---
You received this message because you are subscribed to the Google Groups "Mayan EDMS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

[Mayan EDMS: 2281] Re: Help with Permissions

LeVon Smoker
I have a hackish, hard-coded fix for this. A better fix would involve some to the DocumentPageResult model, but this works and I didn't feel like refactoring a bunch of code...

In /usr/share/mayan-edms/mayan/apps/acls/managers.py, after line 144 (in the filter_by_access function), paste this in:
                # added for fix page search bug-BEGIN
               
# Perform iterative filtering.
               
if str(queryset.model) == "<class 'documents.models.DocumentPageResult'>":
                    result
= []
                   
for entry in queryset:
                       
try:
                           
self.check_access(permissions=permission, user=user, obj=entry.document)
                       
except PermissionDenied:
                           
pass
                       
else:
                            result
.append(entry.pk)
                   
return queryset.filter(pk__in=result)
               
# END

Here's a wider view of the code in context:
    def filter_by_access(self, permission, user, queryset):
       
if user.is_superuser or user.is_staff:
            logger
.debug('Unfiltered queryset returned to user "%s" as superuser or staff',
                         user
)
           
return queryset

       
try:
           
Permission.check_permissions(
                requester
=user, permissions=(permission,)
           
)
       
except PermissionDenied:
            user_roles
= []
           
for group in user.groups.all():
               
for role in group.roles.all():
                    user_roles
.append(role)

           
try:
                parent_accessor
= ModelPermission.get_inheritance(
                    model
=queryset.model
               
)
           
except KeyError:
                parent_acl_query
= Q()
               
# added for fix page search bug-BEGIN
               
# Perform iterative filtering.
               
if str(queryset.model) == "<class 'documents.models.DocumentPageResult'>":
                    result
= []
                   
for entry in queryset:
                       
try:
                           
self.check_access(permissions=permission, user=user, obj=entry.document)
                       
except PermissionDenied:
                           
pass
                       
else:
                            result
.append(entry.pk)
                   
return queryset.filter(pk__in=result)
               
# END
           
else:
                instance
= queryset.first()
               
if instance:
                    parent_object
= getattr(instance, parent_accessor)

                   
try:
                       
# Try to see if parent_object is a function

and restart your web server.

On Wednesday, February 28, 2018 at 11:43:18 AM UTC-5, Ray Hendricks wrote:
No, I didn't. I'm currently interviewing developers to work on Mayan-EDMS for us.

--

---
You received this message because you are subscribed to the Google Groups "Mayan EDMS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

[Mayan EDMS: 2284] Re: Help with Permissions

Michael Price
In reply to this post by Ray Hendricks
So to summarize, the document search works but the page search is broken, using that permissions scheme?

Mayan's permission system supports permission inheritance. That means that if an object is a child object, it will inherit the permission requirements of its parent. If you hold the view permission for a document type, you automatically have that same permission for all the documents of that type and all the pages of the documents of that type. By what you are describing it seems the pages are not inheriting the permissions of their parent documents.

On Tuesday, January 30, 2018 at 4:07:20 PM UTC-4, Ray Hendricks wrote:
I have two document types "Default" and "Personal"

I have two roles "Default Owner" and "Personal Owner"

I have two Groups "Work" and "Personal"

Jim is a member of the group "Work" and Kelly is a member of the group "Personal"

The Group "Personal" is a member of the Role "Personal Owner" and the Group "Work" is a member of  the the Role "Default Owner"

This works in that Jim can't view "Personal" documents but Jim also can't search pages (he can search documents though).  Is this expected behavior?



--

---
You received this message because you are subscribed to the Google Groups "Mayan EDMS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

[Mayan EDMS: 2292] Re: Help with Permissions

LeVon Smoker
Yes. This specific case is with the DocumentPageResult model which inherits from DocumentPage which inherits from the standard Django model not the Document model. DocumentPage as a 'document' property which I used for my workaround.

Maybe there's a way to trick the function into using the document property in certain cases.

And while I have your attention, (I think) pagination needs to be added to the Cabinets details views and Index views. I ran into a situation where a Cabinet had over 1000 documents and the browser could not handle rendering all of those thumbnails...

And thank you for picking up this great project.

On Wednesday, February 28, 2018 at 8:00:39 PM UTC-5, [hidden email] wrote:
So to summarize, the document search works but the page search is broken, using that permissions scheme?

Mayan's permission system supports permission inheritance. That means that if an object is a child object, it will inherit the permission requirements of its parent. If you hold the view permission for a document type, you automatically have that same permission for all the documents of that type and all the pages of the documents of that type. By what you are describing it seems the pages are not inheriting the permissions of their parent documents.

On Tuesday, January 30, 2018 at 4:07:20 PM UTC-4, Ray Hendricks wrote:
I have two document types "Default" and "Personal"

I have two roles "Default Owner" and "Personal Owner"

I have two Groups "Work" and "Personal"

Jim is a member of the group "Work" and Kelly is a member of the group "Personal"

The Group "Personal" is a member of the Role "Personal Owner" and the Group "Work" is a member of  the the Role "Default Owner"

This works in that Jim can't view "Personal" documents but Jim also can't search pages (he can search documents though).  Is this expected behavior?



--

---
You received this message because you are subscribed to the Google Groups "Mayan EDMS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

[Mayan EDMS: 2293] Re: Help with Permissions

Michael Price
I was referring to Mayan's custom permission inheritance which is handled by the acls.classes.ModelPermission class. This is different than the model inheritance used by Django which is limited to just database fields and methods. Django's model inheritance is meant to emulate Python's class inheritance whose purpose is reduce repetition of code. Mayan permission inheritance should be called permission relationships instead to better reflect its purpose.

Mayan uses two method of the ModelPermission to determine how an object inherit permission from another. In the documents.apps file it is using the .register_inheritance to correlate the DocumentPage and the Document model.

        ModelPermission.register_inheritance(
            model=DocumentPage, related='document',
        )

Before that it is using the .register_proxy to correlate the Document model with the DocumentType model. I don't understand the difference. I'm tying to figure it out before bothering Roberto for an explanation.

On Thursday, March 1, 2018 at 10:14:50 AM UTC-4, LeVon Smoker wrote:
Yes. This specific case is with the DocumentPageResult model which inherits from DocumentPage which inherits from the standard Django model not the Document model. DocumentPage as a 'document' property which I used for my workaround.

Maybe there's a way to trick the function into using the document property in certain cases.

And while I have your attention, (I think) pagination needs to be added to the Cabinets details views and Index views. I ran into a situation where a Cabinet had over 1000 documents and the browser could not handle rendering all of those thumbnails...

And thank you for picking up this great project.

On Wednesday, February 28, 2018 at 8:00:39 PM UTC-5, [hidden email] wrote:
So to summarize, the document search works but the page search is broken, using that permissions scheme?

Mayan's permission system supports permission inheritance. That means that if an object is a child object, it will inherit the permission requirements of its parent. If you hold the view permission for a document type, you automatically have that same permission for all the documents of that type and all the pages of the documents of that type. By what you are describing it seems the pages are not inheriting the permissions of their parent documents.

On Tuesday, January 30, 2018 at 4:07:20 PM UTC-4, Ray Hendricks wrote:
I have two document types "Default" and "Personal"

I have two roles "Default Owner" and "Personal Owner"

I have two Groups "Work" and "Personal"

Jim is a member of the group "Work" and Kelly is a member of the group "Personal"

The Group "Personal" is a member of the Role "Personal Owner" and the Group "Work" is a member of  the the Role "Default Owner"

This works in that Jim can't view "Personal" documents but Jim also can't search pages (he can search documents though).  Is this expected behavior?



--

---
You received this message because you are subscribed to the Google Groups "Mayan EDMS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

[Mayan EDMS: 2294] Re: Help with Permissions

Michael Price
Found the root of the problem. DocumentPage is registered with the permission inheritance but the model returned during page searches is not DocumentPage but DocumentPageResult. DocumentPageResult has not permission inheritance relationship to Document. That is the reason no pages are returned unless you are an admin user. 

The fix involves a few steps:

1- Add a permission relationship between DocumentPageResult and Document. This causes an error. The error is caused because the inheritance system only allows database fields or functions, doesn't support related references. In this case a related references is needed: DocumentPageResult -> DocumentVersion -> Document. The related field must allow something like 'document_version__document".
2- Add a function to navigate a related reference down to the actual model instance being referenced. This function turns the string 'document_version__document" to the instance of Document being referenced.
3- Update the AccessControlList.objects.filter_by_access method to use the return_related instead of the simple getattr.

This solution allows filtering the queryset at the database instead of using callable function for each instance in the queryset which is much faster and cleaner.

My code in the branch 'feature/pagesearch_testing' at https://gitlab.com/Michael.Price/mayan-edms/commits/feature/pagesearch_testing. Added a 4 tests for document and document page searching with and without the document view permissions and they pass with no problem. I think every app that has a searchable object should have a test_search test suit.

Even after months of working on the code I'm still amazed at how well written Mayan is. Kudos to Roberto for making something so far ahead than anything else I've seen in the Django market. 

I'll take a stab at the Cabinet pagination problem.

Just helping until Roberto is back in full swing :)

On Thursday, March 1, 2018 at 3:13:27 PM UTC-4, [hidden email] wrote:
I was referring to Mayan's custom permission inheritance which is handled by the acls.classes.ModelPermission class. This is different than the model inheritance used by Django which is limited to just database fields and methods. Django's model inheritance is meant to emulate Python's class inheritance whose purpose is reduce repetition of code. Mayan permission inheritance should be called permission relationships instead to better reflect its purpose.

Mayan uses two method of the ModelPermission to determine how an object inherit permission from another. In the documents.apps file it is using the .register_inheritance to correlate the DocumentPage and the Document model.

        ModelPermission.register_inheritance(
            model=DocumentPage, related='document',
        )

Before that it is using the .register_proxy to correlate the Document model with the DocumentType model. I don't understand the difference. I'm tying to figure it out before bothering Roberto for an explanation.

On Thursday, March 1, 2018 at 10:14:50 AM UTC-4, LeVon Smoker wrote:
Yes. This specific case is with the DocumentPageResult model which inherits from DocumentPage which inherits from the standard Django model not the Document model. DocumentPage as a 'document' property which I used for my workaround.

Maybe there's a way to trick the function into using the document property in certain cases.

And while I have your attention, (I think) pagination needs to be added to the Cabinets details views and Index views. I ran into a situation where a Cabinet had over 1000 documents and the browser could not handle rendering all of those thumbnails...

And thank you for picking up this great project.

On Wednesday, February 28, 2018 at 8:00:39 PM UTC-5, [hidden email] wrote:
So to summarize, the document search works but the page search is broken, using that permissions scheme?

Mayan's permission system supports permission inheritance. That means that if an object is a child object, it will inherit the permission requirements of its parent. If you hold the view permission for a document type, you automatically have that same permission for all the documents of that type and all the pages of the documents of that type. By what you are describing it seems the pages are not inheriting the permissions of their parent documents.

On Tuesday, January 30, 2018 at 4:07:20 PM UTC-4, Ray Hendricks wrote:
I have two document types "Default" and "Personal"

I have two roles "Default Owner" and "Personal Owner"

I have two Groups "Work" and "Personal"

Jim is a member of the group "Work" and Kelly is a member of the group "Personal"

The Group "Personal" is a member of the Role "Personal Owner" and the Group "Work" is a member of  the the Role "Default Owner"

This works in that Jim can't view "Personal" documents but Jim also can't search pages (he can search documents though).  Is this expected behavior?



--

---
You received this message because you are subscribed to the Google Groups "Mayan EDMS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

[Mayan EDMS: 2297] Re: Help with Permissions

Michael Price
The fix for the cabinet pagination was easy. Just make CabinetDetailView a subclass of DocumentListView instead of TemplateView. In the cabinet_details.html remove the lines {% with document_list as object_list %} and {% endwith %} This makes the template display the paginated object_list provided by DocumentListView and not the raw list of documents in the document_list variable.

On Thursday, March 1, 2018 at 7:06:03 PM UTC-4, Michael Price wrote:
Found the root of the problem. DocumentPage is registered with the permission inheritance but the model returned during page searches is not DocumentPage but DocumentPageResult. DocumentPageResult has not permission inheritance relationship to Document. That is the reason no pages are returned unless you are an admin user. 

The fix involves a few steps:

1- Add a permission relationship between DocumentPageResult and Document. This causes an error. The error is caused because the inheritance system only allows database fields or functions, doesn't support related references. In this case a related references is needed: DocumentPageResult -> DocumentVersion -> Document. The related field must allow something like 'document_version__document".
2- Add a function to navigate a related reference down to the actual model instance being referenced. This function turns the string 'document_version__document" to the instance of Document being referenced.
3- Update the AccessControlList.objects.filter_by_access method to use the return_related instead of the simple getattr.

This solution allows filtering the queryset at the database instead of using callable function for each instance in the queryset which is much faster and cleaner.

My code in the branch 'feature/pagesearch_testing' at <a href="https://gitlab.com/Michael.Price/mayan-edms/commits/feature/pagesearch_testing" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgitlab.com%2FMichael.Price%2Fmayan-edms%2Fcommits%2Ffeature%2Fpagesearch_testing\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF9JUkEfjdVTY_ClWjIqxRWaUNDEg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgitlab.com%2FMichael.Price%2Fmayan-edms%2Fcommits%2Ffeature%2Fpagesearch_testing\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF9JUkEfjdVTY_ClWjIqxRWaUNDEg&#39;;return true;">https://gitlab.com/Michael.Price/mayan-edms/commits/feature/pagesearch_testing. Added a 4 tests for document and document page searching with and without the document view permissions and they pass with no problem. I think every app that has a searchable object should have a test_search test suit.

Even after months of working on the code I'm still amazed at how well written Mayan is. Kudos to Roberto for making something so far ahead than anything else I've seen in the Django market. 

I'll take a stab at the Cabinet pagination problem.

Just helping until Roberto is back in full swing :)

On Thursday, March 1, 2018 at 3:13:27 PM UTC-4, [hidden email] wrote:
I was referring to Mayan's custom permission inheritance which is handled by the acls.classes.ModelPermission class. This is different than the model inheritance used by Django which is limited to just database fields and methods. Django's model inheritance is meant to emulate Python's class inheritance whose purpose is reduce repetition of code. Mayan permission inheritance should be called permission relationships instead to better reflect its purpose.

Mayan uses two method of the ModelPermission to determine how an object inherit permission from another. In the documents.apps file it is using the .register_inheritance to correlate the DocumentPage and the Document model.

        ModelPermission.register_inheritance(
            model=DocumentPage, related='document',
        )

Before that it is using the .register_proxy to correlate the Document model with the DocumentType model. I don't understand the difference. I'm tying to figure it out before bothering Roberto for an explanation.

On Thursday, March 1, 2018 at 10:14:50 AM UTC-4, LeVon Smoker wrote:
Yes. This specific case is with the DocumentPageResult model which inherits from DocumentPage which inherits from the standard Django model not the Document model. DocumentPage as a 'document' property which I used for my workaround.

Maybe there's a way to trick the function into using the document property in certain cases.

And while I have your attention, (I think) pagination needs to be added to the Cabinets details views and Index views. I ran into a situation where a Cabinet had over 1000 documents and the browser could not handle rendering all of those thumbnails...

And thank you for picking up this great project.

On Wednesday, February 28, 2018 at 8:00:39 PM UTC-5, [hidden email] wrote:
So to summarize, the document search works but the page search is broken, using that permissions scheme?

Mayan's permission system supports permission inheritance. That means that if an object is a child object, it will inherit the permission requirements of its parent. If you hold the view permission for a document type, you automatically have that same permission for all the documents of that type and all the pages of the documents of that type. By what you are describing it seems the pages are not inheriting the permissions of their parent documents.

On Tuesday, January 30, 2018 at 4:07:20 PM UTC-4, Ray Hendricks wrote:
I have two document types "Default" and "Personal"

I have two roles "Default Owner" and "Personal Owner"

I have two Groups "Work" and "Personal"

Jim is a member of the group "Work" and Kelly is a member of the group "Personal"

The Group "Personal" is a member of the Role "Personal Owner" and the Group "Work" is a member of  the the Role "Default Owner"

This works in that Jim can't view "Personal" documents but Jim also can't search pages (he can search documents though).  Is this expected behavior?



--

---
You received this message because you are subscribed to the Google Groups "Mayan EDMS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

[Mayan EDMS: 2300] Re: Help with Permissions

LeVon Smoker
Thanks!!

On Thursday, March 1, 2018 at 10:56:31 PM UTC-5, Michael Price wrote:
The fix for the cabinet pagination was easy. Just make CabinetDetailView a subclass of DocumentListView instead of TemplateView. In the cabinet_details.html remove the lines {% with document_list as object_list %} and {% endwith %} This makes the template display the paginated object_list provided by DocumentListView and not the raw list of documents in the document_list variable.

On Thursday, March 1, 2018 at 7:06:03 PM UTC-4, Michael Price wrote:
Found the root of the problem. DocumentPage is registered with the permission inheritance but the model returned during page searches is not DocumentPage but DocumentPageResult. DocumentPageResult has not permission inheritance relationship to Document. That is the reason no pages are returned unless you are an admin user. 

The fix involves a few steps:

1- Add a permission relationship between DocumentPageResult and Document. This causes an error. The error is caused because the inheritance system only allows database fields or functions, doesn't support related references. In this case a related references is needed: DocumentPageResult -> DocumentVersion -> Document. The related field must allow something like 'document_version__document".
2- Add a function to navigate a related reference down to the actual model instance being referenced. This function turns the string 'document_version__document" to the instance of Document being referenced.
3- Update the AccessControlList.objects.filter_by_access method to use the return_related instead of the simple getattr.

This solution allows filtering the queryset at the database instead of using callable function for each instance in the queryset which is much faster and cleaner.

My code in the branch 'feature/pagesearch_testing' at <a href="https://gitlab.com/Michael.Price/mayan-edms/commits/feature/pagesearch_testing" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgitlab.com%2FMichael.Price%2Fmayan-edms%2Fcommits%2Ffeature%2Fpagesearch_testing\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF9JUkEfjdVTY_ClWjIqxRWaUNDEg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgitlab.com%2FMichael.Price%2Fmayan-edms%2Fcommits%2Ffeature%2Fpagesearch_testing\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF9JUkEfjdVTY_ClWjIqxRWaUNDEg&#39;;return true;">https://gitlab.com/Michael.Price/mayan-edms/commits/feature/pagesearch_testing. Added a 4 tests for document and document page searching with and without the document view permissions and they pass with no problem. I think every app that has a searchable object should have a test_search test suit.

Even after months of working on the code I'm still amazed at how well written Mayan is. Kudos to Roberto for making something so far ahead than anything else I've seen in the Django market. 

I'll take a stab at the Cabinet pagination problem.

Just helping until Roberto is back in full swing :)

On Thursday, March 1, 2018 at 3:13:27 PM UTC-4, [hidden email] wrote:
I was referring to Mayan's custom permission inheritance which is handled by the acls.classes.ModelPermission class. This is different than the model inheritance used by Django which is limited to just database fields and methods. Django's model inheritance is meant to emulate Python's class inheritance whose purpose is reduce repetition of code. Mayan permission inheritance should be called permission relationships instead to better reflect its purpose.

Mayan uses two method of the ModelPermission to determine how an object inherit permission from another. In the documents.apps file it is using the .register_inheritance to correlate the DocumentPage and the Document model.

        ModelPermission.register_inheritance(
            model=DocumentPage, related='document',
        )

Before that it is using the .register_proxy to correlate the Document model with the DocumentType model. I don't understand the difference. I'm tying to figure it out before bothering Roberto for an explanation.

On Thursday, March 1, 2018 at 10:14:50 AM UTC-4, LeVon Smoker wrote:
Yes. This specific case is with the DocumentPageResult model which inherits from DocumentPage which inherits from the standard Django model not the Document model. DocumentPage as a 'document' property which I used for my workaround.

Maybe there's a way to trick the function into using the document property in certain cases.

And while I have your attention, (I think) pagination needs to be added to the Cabinets details views and Index views. I ran into a situation where a Cabinet had over 1000 documents and the browser could not handle rendering all of those thumbnails...

And thank you for picking up this great project.

On Wednesday, February 28, 2018 at 8:00:39 PM UTC-5, [hidden email] wrote:
So to summarize, the document search works but the page search is broken, using that permissions scheme?

Mayan's permission system supports permission inheritance. That means that if an object is a child object, it will inherit the permission requirements of its parent. If you hold the view permission for a document type, you automatically have that same permission for all the documents of that type and all the pages of the documents of that type. By what you are describing it seems the pages are not inheriting the permissions of their parent documents.

On Tuesday, January 30, 2018 at 4:07:20 PM UTC-4, Ray Hendricks wrote:
I have two document types "Default" and "Personal"

I have two roles "Default Owner" and "Personal Owner"

I have two Groups "Work" and "Personal"

Jim is a member of the group "Work" and Kelly is a member of the group "Personal"

The Group "Personal" is a member of the Role "Personal Owner" and the Group "Work" is a member of  the the Role "Default Owner"

This works in that Jim can't view "Personal" documents but Jim also can't search pages (he can search documents though).  Is this expected behavior?



--

---
You received this message because you are subscribed to the Google Groups "Mayan EDMS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

[Mayan EDMS: 2317] Re: Help with Permissions

LeVon Smoker
Michael,

Is it possible to get read access to https://gitlab.com/Michael.Price/mayan-edms/commits/feature/pagesearch_testing?

On Friday, March 2, 2018 at 10:13:05 AM UTC-5, LeVon Smoker wrote:
Thanks!!

On Thursday, March 1, 2018 at 10:56:31 PM UTC-5, Michael Price wrote:
The fix for the cabinet pagination was easy. Just make CabinetDetailView a subclass of DocumentListView instead of TemplateView. In the cabinet_details.html remove the lines {% with document_list as object_list %} and {% endwith %} This makes the template display the paginated object_list provided by DocumentListView and not the raw list of documents in the document_list variable.

On Thursday, March 1, 2018 at 7:06:03 PM UTC-4, Michael Price wrote:
Found the root of the problem. DocumentPage is registered with the permission inheritance but the model returned during page searches is not DocumentPage but DocumentPageResult. DocumentPageResult has not permission inheritance relationship to Document. That is the reason no pages are returned unless you are an admin user. 

The fix involves a few steps:

1- Add a permission relationship between DocumentPageResult and Document. This causes an error. The error is caused because the inheritance system only allows database fields or functions, doesn't support related references. In this case a related references is needed: DocumentPageResult -> DocumentVersion -> Document. The related field must allow something like 'document_version__document".
2- Add a function to navigate a related reference down to the actual model instance being referenced. This function turns the string 'document_version__document" to the instance of Document being referenced.
3- Update the AccessControlList.objects.filter_by_access method to use the return_related instead of the simple getattr.

This solution allows filtering the queryset at the database instead of using callable function for each instance in the queryset which is much faster and cleaner.

My code in the branch 'feature/pagesearch_testing' at <a href="https://gitlab.com/Michael.Price/mayan-edms/commits/feature/pagesearch_testing" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgitlab.com%2FMichael.Price%2Fmayan-edms%2Fcommits%2Ffeature%2Fpagesearch_testing\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF9JUkEfjdVTY_ClWjIqxRWaUNDEg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgitlab.com%2FMichael.Price%2Fmayan-edms%2Fcommits%2Ffeature%2Fpagesearch_testing\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF9JUkEfjdVTY_ClWjIqxRWaUNDEg&#39;;return true;">https://gitlab.com/Michael.Price/mayan-edms/commits/feature/pagesearch_testing. Added a 4 tests for document and document page searching with and without the document view permissions and they pass with no problem. I think every app that has a searchable object should have a test_search test suit.

Even after months of working on the code I'm still amazed at how well written Mayan is. Kudos to Roberto for making something so far ahead than anything else I've seen in the Django market. 

I'll take a stab at the Cabinet pagination problem.

Just helping until Roberto is back in full swing :)

On Thursday, March 1, 2018 at 3:13:27 PM UTC-4, [hidden email] wrote:
I was referring to Mayan's custom permission inheritance which is handled by the acls.classes.ModelPermission class. This is different than the model inheritance used by Django which is limited to just database fields and methods. Django's model inheritance is meant to emulate Python's class inheritance whose purpose is reduce repetition of code. Mayan permission inheritance should be called permission relationships instead to better reflect its purpose.

Mayan uses two method of the ModelPermission to determine how an object inherit permission from another. In the documents.apps file it is using the .register_inheritance to correlate the DocumentPage and the Document model.

        ModelPermission.register_inheritance(
            model=DocumentPage, related='document',
        )

Before that it is using the .register_proxy to correlate the Document model with the DocumentType model. I don't understand the difference. I'm tying to figure it out before bothering Roberto for an explanation.

On Thursday, March 1, 2018 at 10:14:50 AM UTC-4, LeVon Smoker wrote:
Yes. This specific case is with the DocumentPageResult model which inherits from DocumentPage which inherits from the standard Django model not the Document model. DocumentPage as a 'document' property which I used for my workaround.

Maybe there's a way to trick the function into using the document property in certain cases.

And while I have your attention, (I think) pagination needs to be added to the Cabinets details views and Index views. I ran into a situation where a Cabinet had over 1000 documents and the browser could not handle rendering all of those thumbnails...

And thank you for picking up this great project.

On Wednesday, February 28, 2018 at 8:00:39 PM UTC-5, [hidden email] wrote:
So to summarize, the document search works but the page search is broken, using that permissions scheme?

Mayan's permission system supports permission inheritance. That means that if an object is a child object, it will inherit the permission requirements of its parent. If you hold the view permission for a document type, you automatically have that same permission for all the documents of that type and all the pages of the documents of that type. By what you are describing it seems the pages are not inheriting the permissions of their parent documents.

On Tuesday, January 30, 2018 at 4:07:20 PM UTC-4, Ray Hendricks wrote:
I have two document types "Default" and "Personal"

I have two roles "Default Owner" and "Personal Owner"

I have two Groups "Work" and "Personal"

Jim is a member of the group "Work" and Kelly is a member of the group "Personal"

The Group "Personal" is a member of the Role "Personal Owner" and the Group "Work" is a member of  the the Role "Default Owner"

This works in that Jim can't view "Personal" documents but Jim also can't search pages (he can search documents though).  Is this expected behavior?



--

---
You received this message because you are subscribed to the Google Groups "Mayan EDMS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

[Mayan EDMS: 2348] Re: Help with Permissions

ericriggs42
That branch's work was completed merged into versions/next => https://gitlab.com/Michael.Price/mayan-edms/commits/versions/next


On Tuesday, March 6, 2018 at 10:09:31 AM UTC-4, LeVon Smoker wrote:
Michael,

Is it possible to get read access to <a href="https://gitlab.com/Michael.Price/mayan-edms/commits/feature/pagesearch_testing" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgitlab.com%2FMichael.Price%2Fmayan-edms%2Fcommits%2Ffeature%2Fpagesearch_testing\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF9JUkEfjdVTY_ClWjIqxRWaUNDEg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgitlab.com%2FMichael.Price%2Fmayan-edms%2Fcommits%2Ffeature%2Fpagesearch_testing\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF9JUkEfjdVTY_ClWjIqxRWaUNDEg&#39;;return true;">https://gitlab.com/Michael.Price/mayan-edms/commits/feature/pagesearch_testing?

On Friday, March 2, 2018 at 10:13:05 AM UTC-5, LeVon Smoker wrote:
Thanks!!

On Thursday, March 1, 2018 at 10:56:31 PM UTC-5, Michael Price wrote:
The fix for the cabinet pagination was easy. Just make CabinetDetailView a subclass of DocumentListView instead of TemplateView. In the cabinet_details.html remove the lines {% with document_list as object_list %} and {% endwith %} This makes the template display the paginated object_list provided by DocumentListView and not the raw list of documents in the document_list variable.

On Thursday, March 1, 2018 at 7:06:03 PM UTC-4, Michael Price wrote:
Found the root of the problem. DocumentPage is registered with the permission inheritance but the model returned during page searches is not DocumentPage but DocumentPageResult. DocumentPageResult has not permission inheritance relationship to Document. That is the reason no pages are returned unless you are an admin user. 

The fix involves a few steps:

1- Add a permission relationship between DocumentPageResult and Document. This causes an error. The error is caused because the inheritance system only allows database fields or functions, doesn't support related references. In this case a related references is needed: DocumentPageResult -> DocumentVersion -> Document. The related field must allow something like 'document_version__document".
2- Add a function to navigate a related reference down to the actual model instance being referenced. This function turns the string 'document_version__document" to the instance of Document being referenced.
3- Update the AccessControlList.objects.filter_by_access method to use the return_related instead of the simple getattr.

This solution allows filtering the queryset at the database instead of using callable function for each instance in the queryset which is much faster and cleaner.

My code in the branch 'feature/pagesearch_testing' at <a href="https://gitlab.com/Michael.Price/mayan-edms/commits/feature/pagesearch_testing" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgitlab.com%2FMichael.Price%2Fmayan-edms%2Fcommits%2Ffeature%2Fpagesearch_testing\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF9JUkEfjdVTY_ClWjIqxRWaUNDEg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgitlab.com%2FMichael.Price%2Fmayan-edms%2Fcommits%2Ffeature%2Fpagesearch_testing\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF9JUkEfjdVTY_ClWjIqxRWaUNDEg&#39;;return true;">https://gitlab.com/Michael.Price/mayan-edms/commits/feature/pagesearch_testing. Added a 4 tests for document and document page searching with and without the document view permissions and they pass with no problem. I think every app that has a searchable object should have a test_search test suit.

Even after months of working on the code I'm still amazed at how well written Mayan is. Kudos to Roberto for making something so far ahead than anything else I've seen in the Django market. 

I'll take a stab at the Cabinet pagination problem.

Just helping until Roberto is back in full swing :)

On Thursday, March 1, 2018 at 3:13:27 PM UTC-4, [hidden email] wrote:
I was referring to Mayan's custom permission inheritance which is handled by the acls.classes.ModelPermission class. This is different than the model inheritance used by Django which is limited to just database fields and methods. Django's model inheritance is meant to emulate Python's class inheritance whose purpose is reduce repetition of code. Mayan permission inheritance should be called permission relationships instead to better reflect its purpose.

Mayan uses two method of the ModelPermission to determine how an object inherit permission from another. In the documents.apps file it is using the .register_inheritance to correlate the DocumentPage and the Document model.

        ModelPermission.register_inheritance(
            model=DocumentPage, related='document',
        )

Before that it is using the .register_proxy to correlate the Document model with the DocumentType model. I don't understand the difference. I'm tying to figure it out before bothering Roberto for an explanation.

On Thursday, March 1, 2018 at 10:14:50 AM UTC-4, LeVon Smoker wrote:
Yes. This specific case is with the DocumentPageResult model which inherits from DocumentPage which inherits from the standard Django model not the Document model. DocumentPage as a 'document' property which I used for my workaround.

Maybe there's a way to trick the function into using the document property in certain cases.

And while I have your attention, (I think) pagination needs to be added to the Cabinets details views and Index views. I ran into a situation where a Cabinet had over 1000 documents and the browser could not handle rendering all of those thumbnails...

And thank you for picking up this great project.

On Wednesday, February 28, 2018 at 8:00:39 PM UTC-5, [hidden email] wrote:
So to summarize, the document search works but the page search is broken, using that permissions scheme?

Mayan's permission system supports permission inheritance. That means that if an object is a child object, it will inherit the permission requirements of its parent. If you hold the view permission for a document type, you automatically have that same permission for all the documents of that type and all the pages of the documents of that type. By what you are describing it seems the pages are not inheriting the permissions of their parent documents.

On Tuesday, January 30, 2018 at 4:07:20 PM UTC-4, Ray Hendricks wrote:
I have two document types "Default" and "Personal"

I have two roles "Default Owner" and "Personal Owner"

I have two Groups "Work" and "Personal"

Jim is a member of the group "Work" and Kelly is a member of the group "Personal"

The Group "Personal" is a member of the Role "Personal Owner" and the Group "Work" is a member of  the the Role "Default Owner"

This works in that Jim can't view "Personal" documents but Jim also can't search pages (he can search documents though).  Is this expected behavior?



--

---
You received this message because you are subscribed to the Google Groups "Mayan EDMS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.