News:

Support for jDownloads 3 has been ended
Since 17 August 2023 Joomla.org has discontinued support for Joomla 3.x. Therefore, we will no longer offer official support for our Joomla 3 jDownloads version 3.9.x from January 2024.
Please update your website to the latest Joomla version (Joomla 4 or Joomla 5) as soon as possible. Afterwards, please update jDownloads to the latest published version. The longer you delay, the more difficult the upgrade process for your website is likely to be.

Main Menu
Support-Forum

ACL Doesn't works correctly - [Not a bug!!!]

Started by m.iannozzi, 04.07.2014 16:57:05

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

m.iannozzi

 Jdownload Version:3.2.8 Beta
Joomla 3.3.1 (I dont't know if bug is related for only this version)

Hi,
I have created a folder (A) and Group A,B

Created Group: Registered -> GROUP_A ->GROUP_B
Created User: USER_A

USER_A is a part of GROUP_B

Default ACL:
Public----> Edit_own (Allowed)
All other ACL Inherited


JDownload category: FOLDER_A
OWNER ---> USER_A

Setted permission
GROUP_A ---> ALL ACL Inherited
GROUP_B ----> All ACL Allowed (Calculated permission Allowed)

When I try to upload file jdownload say that I haven't permission to upload file. It works only if I grant Create ACL (Allowed) ad Default in PUBLIC group

With same setting DOCMAN Joomla extension works correctly so I suspect that is a Jdownload BUG but I can't use DOCMAN because have a very few option.


Best Regards.
Marco

  •  

ColinM

Hi
Yes at the moment there is a bug with the ACL  and user groups stuff which is actively being worked on. Believe it will be fixed in next beta release.  Not sure however if it applies in your scenario.

The usual default ACL permissions for the Registered Group are that Download and Edit Own are allowed, with all others being Not Allowed.  That is people in the registered group and its immediate descendants such as Group A and Group B would not be able to upload.  To allow them to upload you would have to explicitly Allow Create permission. 

It would be helpful if you could try it with a user who just belongs to the registered group only as that usually works if you have allowed Create permission. The problem comes with descendant groups.

Thanks
Colin
Colin M
  •  

m.iannozzi

Hi,
thanks for your feedback. I have tryied your suggestion

I have created a user TEST and assigned it to Registered group.
In Component-->Jdownload--->Category--->CategoryName--->Permission I have allowed All for Registered Group (Calculated permission Allowed)
In frontend I have tried to uplolad but I have same problem.
You do not have permission to create a new download.

I need to Allow perms in System-->Globalconfiguration--->Permission--->Jdownload



  •  

ColinM

Hi
the Options button on the jDownloads Control Panel and also on the User Group Settings  sets up the permissions in exactly  the same way as System-->Globalconfiguration--->Permission--->Jdownload.   It was The Options button method I thought you were using.  It is those permissions that control the actions that the jDownlads component can take for a particular user group.

Were you setting Category  or Downloads Permissions? 
Also did you look at http://www.jdownloads.net/documentations/item/jdownloads-acl-notes-2?category_id=32

If you were using the Category Permissions rather than the Component permissions then I will need to add a bit to the above documentation to clarify.

Colin
Colin M
  •  

m.iannozzi

#4
Hi,
Yes. I have see document link and I can confirm that I set ACL in category Permission. The problem is with upload and not with download. So I think that is correct to allow perms in category.
So I create category and in same category TAB as describe in documet I have set permission for "Registered Group" but in this way acl doesn't works. Seems to be ignored.
I'm using joomla 3.3.1 can be a problem only with this release?
With DOCMAN in similar way all works good.
  •  

ColinM

#5
Hi
It is not the permissions of the Category alone that is fundamental to being able to Create.  It is the permissions of the Component and the Category.  Normally the Category will get the same permissions as the Component for a specific user group.  But the reverse is not true so if you give a category a permission it does not, by design, flow through to the Component permissions.

If you use the create download menu item to allow the user to select the target Category then those categories that do not have Create permission for that user group will not appear in the list of available categories.

If the Create Menu item is for a specific category then the position is not quite clear if that Category does not allow Create, so there maybe a challenge in that area.

To change the permissions of a Category would typically mean an explicit deny or allow on those permissions.  It is generally better to let the Categories and Downloads take their permissions from those of the Component.  What I have not tested explicitly is if a category has been created previously and then the  Component permissions are changed whether these flow through to the Category.  I suspect they do not. Have just checked - they do flow through if the settings are inherited

olin
Colin M
  •  

m.iannozzi

So if I have udestand correctly Jdownload works in below way

1) "ACL Create in Component"--->"allow" AND "ACL Create in Category"--->"allow" | Upload = YES
2) "ACL Create in Component"--->"deny" AND "ACL Create in Category"--->"allow" | Upload = NO
3) "ACL Create in Component"--->"Allow" AND "ACL Create in Category"--->"deny" | Upload = NO


I have tried these 3 configuration and with my surprise upload works in case 1) and 3)
This mean that ACL setting in category is ignored.
Perhaps if Jdownload should work as your description I think that is not a good practice.
Take for example a firewall rules. For a really secure firewall (any firewall is really 100% secure!) is necessary deny All inboud/outbound connection and allow only strictly necessary ip/protocoll/port for inbound and outboud connection. That 's the way to work recommended from any best practices
So from my point of view in this moment Jdownload seems doesn't work correctly because if I allow create in component for me is impossible deny upload for any category.
And if Jdownloads really slould be works as your description in necessary to change logic because in not a good way to works allow before deny.
I hope you have undestand my bad english. Sorry

  •  

ColinM

Hi
The third case is a bug. :(  It only occurs if the menu item  selects a specific category.  If, in principle, any category is allowed in the create menu option then only those categories with create permission are are made available.

Colin
Colin M
  •  

Arno

QuoteIf the Create Menu item is for a specific category then the position is not quite clear if that Category does not allow Create, so there maybe a challenge in that area.
When this scenario is used, it is the job from the administrator to use the correct permission settings for the selected category.
Best Regards / Gruß
Arno
Please make a Donation for jDownloads and/or write a review on the Joomla! Extensions directory!
  •  

m.iannozzi

Hi, sorry. But I haven't understand what does it mean.
In main menu I haven't create a single category view but I have create a menu view with "List all category". So, user browse category and if upload is enabled he can upload.
  •  

ColinM

Hi
When we have a menu item to create a download eg pic cat-acl00A.png  with the option to allow choice of category eg pic cat-acl00B.png and we choose that menu from the font end eg pic cat-acl00c.png
then if the category permissions for that user group allow create as in pic cat-acl01.png then the category will be shown as in pic cat-acl02.png.  As a result the create will occur.
However if the Categy permissions for the user group do not allow create as in pic cat-acl03.png then that category will not be shown in the list of available categories as in pic cat-acl04.png

This is the correct behaviour. :) If there are no categories with create permission then the only category shown is 'uncategorised'.

In the case where the admin user creates a menu entry for a single category it is reasonable to expect the admin user to ensure that the chosen category is available to receive new downloads obviously taking due account of the view access of the menu item
Colin

[gelöscht durch Administrator]
Colin M
  •