Issue with access right when a user is assigned to two user groups
By ugenda on Monday, 27 June 2022
Posted in JEvents (Free Access)
Replies 13
Likes 0
Views 742
Votes 0
I have a site with (Joomla) authors user group and I've created a separate user group 'organizations'. This user group has 'registered' as a parent. Authors are allowed to submit new articles, but shouldn't have access to adding or editing events. Organizations are allowed to add events, but don't have access to articles.

This works fine, except in the case a user is assigned to both user groups. We have two users in our team who write articles, but also organise events. So they are assigned to both user groups. These users do have access to menu items assigned to either one of the groups. But it seems JEvents only looks at one of the access rights, namely the one of the author group (which has a lower id). So the user might see a menu item for adding events, but if they click on it, they get an error they have no rights to create an event.

I could only solve this by giving the authors event editing rights too, but I have go give them access right to each category too. And even though the authors won't see the Add event menu item, they will see the option below the calendar.
We tend to getAccessRights methods native to Joomla! Can you confirm they are not hierarchy and are say:

Registered
- Organisations
- Authors

If so it should take both into account. Otherwise it is possible if Organisations are denied it will deny it from Authors too.
tonyp
·
2 years ago
·
0 Likes
·
0 Votes
·
0 Comments
·
it is possible if Organisations are denied it will deny it from Authors too.

I suspect this could be the issue - 'inherit' is safer than 'deny' permission in this situation.
geraint
·
2 years ago
·
0 Likes
·
0 Votes
·
0 Comments
·
My group setup is:

- Registered
-- Author
--- Editor
---- Publisher
-- Orgnisation

Somehow Authors and Organizations interfere
ugenda
·
2 years ago
·
0 Likes
·
0 Votes
·
0 Comments
·
I checked your sanbox site and see that Authors are 'denied' permission to create, edit and publish events. This is where the problem arises - the 'denied' rule overrides the 'allowed' rule for the organiser group members. This is how it is handled within Joomla unfortunately

One solution is to create a 3rd group 'author/organisers' that are allows to create events AND articles and put these users in this new group instead of the 2 separate groups.
geraint
·
2 years ago
·
0 Likes
·
0 Votes
·
0 Comments
·
This quite odd, since on my old site (Joomla 3 with Joomla Eventmanager as a calendar) we never had this problem. This would also imply the users in question would not be able to add articles, since the organisation group is denied to add new articles.

I always thought Joomla was granting the highest permissions. Did this change in Joomla 4? It would mean a user can't be assigned to 2 or more users groups and you would have to create a new group for each combination of user groups.
ugenda
·
2 years ago
·
0 Likes
·
0 Votes
·
0 Comments
·
You are not seeing problems with article creation?

I will take a closer look at your sandbox - can you create a test user that sees this problem for me to check please.
geraint
·
2 years ago
·
0 Likes
·
0 Votes
·
0 Comments
·
The whole principal of assigning multiple uaergroups to a user is that you allow more access rights. If the two uaergroups interfere and take the least permissions into account, than the whole point of multiple user groups is useless.

In my case the user within two uaergroups is allowed to add articles, but access is denied for creating events.

I've created a new user account and added the login / pass above in the first post here.
ugenda
·
2 years ago
·
0 Likes
·
0 Votes
·
0 Comments
·
Is your sandbox site still live? I don't seem to be able to access it
geraint
·
2 years ago
·
0 Likes
·
0 Votes
·
0 Comments
·
I don't know which url you are using. I've added the correct url for testing in the original post.
ugenda
·
2 years ago
·
0 Likes
·
0 Votes
·
0 Comments
·
I was looking at zandbak.**.** - sorry, I'm looking at the test site now.
geraint
·
2 years ago
·
0 Likes
·
0 Votes
·
0 Comments
·
If I look at administrator/index.php?option=com_users&view=debuguser&user_id=5080 and filter by 'articles' I see the permission to create articles but if filtering by 'jevents' there is no permission to create events.

JEvents and Articles inherit the permissions from the global permissions - see administrator/index.php?option=com_config - here 'authors' are granted permission to 'create' items (articles or components)

For articles you have set 'auteur' create permissions to 'allowed' - but they could be set to 'inherited' and still have create permission.

I am currently recreating an equivalent setup in my Joomla 4.1 site. I'll let you know what I find.
geraint
·
2 years ago
·
0 Likes
·
0 Votes
·
0 Comments
·
Looking at the core Joomla permissions report for the users in both user groups you will see that the issue is not caused by JEvents interpretation of the permissions - we use the permissions analysis from Joomla itself.

The only way I can see that you can set up these permissions is to create a new group under 'registered' that is allowed to create articles and events.

The Joomla 'deny' setting is overruling the 'allowed' setting.
geraint
·
2 years ago
·
0 Likes
·
0 Votes
·
0 Comments
·
Hmm. Strange, since we didn't have this issue with our old calendar system and with other components. I'll try to sort this out if it is within our configuration.
ugenda
·
2 years ago
·
0 Likes
·
0 Votes
·
0 Comments
·
View Full Post