need help with ACL to hide non-public tasks from other users

P3X-749 · I like it here. Joined: 31 Aug 2009 Posts: 6

Hello all,

I am a fresh user of web2project.
Many thanks for this fine piece of work and all your efforts put into it.

For a multi-company project, I need some advice on how to setup
the different users and their ACLs.

Want I want to achieve is, that tasks which are non-public (private, protected,...)
cannot be viewed and/or accessed by other Users who are not from the very same company.

So far have setup several companies (Master, A and B)
with individual users (Project Managers) who all have the full
permissions on creating and maintaining projects
(allow all for non-admin modules via a user-role).
The "Master" company is running the overall project, with public tasks
like "plan, build, run". All other companies run their individual projects and
use the overall project as their Parent-Project. These projects also have some public tasks.
Now, when an individual company adds same non-public tasks to their
project plan (either with or without a public task as parent)...

...the Project Manager of the Master company with the parent plan
can see all the non-public tasks from the other companies.
These show up in the projects view (task list and gantt) of the overall project.
However, access is denied when selecting such a task from the task-list of the projects view.

...but this is only half of what I would like to achieve...how can I hide the non-public
tasks completely?

Many thanks in advance!

regards,
p3x-749

pedroa

Hi P3X-749 and welcome to web2Project.

Thanks for your message.

What happens is that the tasks when showing on a list of tasks are not passing through Task Access filtering, only when they are accessed for viewing/editing.
So when you click on a task link that you do not have Access through Task Access field, you get the access denied.
When you try to edit the task it will deny access too.

Why is that? Performance.

Doing so, does not require to check each task for access individually, which on a long task list could be a performance hit.

But that, as you mention can be a security flaw.
So I am developing a solution that will keep us all satisfied, by doing the same check but keeping from doing crazy loops and keeping data retrieval at the minimum possible.

I'll keep you updated,

Thanks for reporting,

Pedro A.

P3X-749 · I like it here. Joined: 31 Aug 2009 Posts: 6

Thanks for your response.

I was under the opinion that I just
didn't get something right with the
user's permissions.
By the looks of it, it sounds like there
is some work to do inside the implementation
itself.

I am happy to here that you'll think of a solution
for a future release.

regards,
P3X-749

pedroa

Hi,

The solution is implemented on revision 604 http://web2project.svn.sourceforge.net/viewvc/web2project?view=rev&revision=604
You can either grab it from SVN, or wait until tomorrow on our daily snapshots:
http://www.demval.com/ftp/
...or wait for our next release.

Cheers and thanks,

Pedro A.

P3X-749 · I like it here. Joined: 31 Aug 2009 Posts: 6

,,oh, wow...that was FAST!
I fetched the rev. 604 from they daily snapshots and will give it
a try ASAP.
I'll report back how things are going.

regards,
P3X-749

nuddernuby

Kindly assist me here:

In Rev 604, what changes were introduced to

trunk/modules/tasks/vw_log_update.php

apart from the top line?

Have I missed something?
Rgds

pedroa

nuddernuby

Impressive. Thanks Pedro. I missed the ampersand.
Rgds

P3X-749 · I like it here. Joined: 31 Aug 2009 Posts: 6

Hi Pedro,

pedroa

Lovely, thanks for letting us know.

Cheers,

Pedro A.

nuddernuby

I need some help on this. Not sure if it hasn't been addressed in (several) other threads.
Here is my problem:
Under my current setup (v1.1) a project user has non-administrative privileges with a couple of specific denials, like access to reports, etc. He does not have editing access to the tasks of other companies' tasks, but he can see the projects and tasks of other companies. This is an absolute no-no. One client will not want to have any other company looking at their tasks and what they are about. So a member of company A must not be able to see anything of any other company to which he has not been assigned. This is not the case in my present set-up.

Have I missed something here? Maybe I need a manual on w2p permissions.
Your advice will be valued.
Rgds

pedroa

Hi nuddernuby,

One advice that I give to people that are exquisite as far as permissions are concerned is to NOT use the All, Non-Admin and Admin set of permissions.

Because they are too much permissive, specially the All and Non-Admin.

They will sorta let anyone do anything.

If you want to do an effective job on permission controlling you must start from scratch.

What I mean is:
1) Determine which kind of users you have and what do you want them to be able to do.
If you find yourself seeing that you want users to only be able to work with only one company (like the situation you reported) then...
2) Create a Role with no permissions whatsoever.
3) Add to that Role the permission to view only one Company, allow view Company A as an example
4) Identify what other modules will they be able to access (by that I mean to see the top menu module name), view, add, edit, delete records from
5) Add those global module permissions to the Role too
6) Now on each of that set of homogeneous users go to their account and remove any other Roles they may have and give that one you created.
7) Whenever you identify a new group or set of homogeneous users, start another empty Role and build it from ground up.

web2Projects permissions are based on the idea that everything is denied unless permitted to, by default everything is softly denied when no permissions have been granted.
And granting groups of permissions like "All" and "All Non-Admin" modifies this behavior to everything or almost everything is permitted.

web2Projects permissions also work on a cascading flow, like a pyramid.
If a user can only see Company A, and he has been granted view permission over all Projects (or the Projects module), he will only be able to see Company A Projects.
But if he is only granted permission to view one Project, even if he has permission to see all Tasks (or the Tasks module), he will only be able able to see that Projects Tasks.
So there is an hierarchy of objects, where, Companies (along with Users) are top Objects, then Departments (along with Users) , then Projects, then Tasks, then Task logs, Files, Links and so on.

Sure it requires some extra work to fine tune it, but better safe than sorrow.

Cheers,

Pedro A.

nuddernuby

I had no doubt that your feedback would be quick and thorough - as always.

Thank you. It looks good. What caught me out was that, with limited permissions, I would only get the Welcome screen. So I followed your outline and added permissions one by one as shown below. What was interesting was that only after adding the calendar access in this series could the user get into the programme, i.e. the welcome screen disappeared. Here is the route I took:

Company A: Access, view
App: Task Logs: Access, View, Add, Edit
App: Tasks: Access, View
App: Calendar: Access, View, Add
------------------- after adding the Calendar access the Welcome screen disappeared
App: Projects: Access, View

Now I can figure it out further.

Thanks. Good feedback.

pedroa

nuddernuby

Thank you. The lights are slowly going on.

Now we have added 2 more permissions to the above role, namely
Apps: Contacts (Access, View) and
Apps: ProjectDesigner (Access, View)

However, when on the Tasks page, for which we have Access and View permissions, the expand/collapse button next to the project name does not work, i.e. it does not allow us to view the task list.

Any suggestion as to what we are doing wrong?
Rgds

nuddernuby

Before we interrupt the beach therapy and make you guys do unnecessary work, let me report that we have caught this ball ourselves. Soon we may qualify for promotion from grade 1 to grade 2!

It appears that the particular user must have at least one task assigned to him/her in that particular project before the expand/collapse button will allow him to view the tasks. Pretty nifty.

Is this correct?

pedroa

Hi,

In case you haven't noticed you already passed the 100 posts barrier Sir, so yeah you got to a new grade, now you are an Evangelist Member Smile

About the Tasks list, that will all depend on the filtering you have chosen.
By default it shows all the tasks a user is assigned to and that are not finished. That matches your description.

So check the top right Tasks Filter, to see what you should be seeing.

Cheers,

Pedro A.

nuddernuby

I should ask the next question before I start poking around in unfamiliar territory in the usual way and possibly messing up the entire system. We have followed your guidance on this and created a tailor made permissions package for a subcontractor for a specific company. It consumed quite some time to do this. Now we have several companies requiring the exact same permissions package (role) but where only the company name has to change.

Question: How do we best copy the role without having to go through the entire tedious and time consuming process of building it de novo every time? Should we do it via database query or is there another way?

TIA

pedroa

nuddernuby

OK, I give up : which table(s)?

Rgds

caseydk

pedroa

Don't worry Keith, I am doing a little freebie for Mr. nuddernuby for all the support he has given us Smile

Should be ready today.

Pedro A.

nuddernuby

You'll have me blushing....!

pedroa

I've crossed rivers of wine to achieve this, but it is done and it is on SVN now.
Revision 664.

Enjoy the candy Mr. nuddernuby Smile

Cheers and thanks for the support,

Pedro A.

nuddernuby

Well, well, well.. I am amazed.
It is installed and works like a charm. Do you know how much time this will save? Muito obrigado, Senhor.

(There must be something about the rivers of wine in Portugal. Maybe some b**bs floating around?)

Great stuff and thank you again.