eZ Platform Discussions

Multisite - Howto "jail" admin to a root node?


#1

Hy.

I have the following content structure:

Home [2]
 |- Home Site1 [100]
 |- Home Site2 [200]
 |- Shared Content [90]
Media [43]
 |- Media Site1 [100]
 |- Media Site2 [200]
 |- Shared Media [91]

And the following configuration:

#ezpublish:
siteaccess:
    list:
      - 'site'   
      - 'admin'  
      - 'site_1'
      - 'site_2'
      - 'admin_1'
      - 'admin_2'
    groups:
        site_group: ['site', 'site_1', 'site_2']
        admin_group: ['admin', 'admin_1', 'admin_2']
        site_1_group: ['site_1', 'admin_1']
        site_2_group: ['site_2', 'admin_2']
    match:
        URIElement: 1

system:
    site_1_group:
        content:
            tree_root:
                location_id: 100
    site_2_group:
        content:
            tree_root:
                location_id: 200

So I have 3 public sites.
Site 1 and Site 2 which are administered by admin_1 and admin 2 respectively.
I also have a global site: Site.
And a global admin BO, which allows me to manage all my sites.

My problem is that my admin_1 is not locked in its root.
I can do the same with both URLs.

http://localhost:39080/admin
http://localhost:39080/admin_1


#2

Same pb in ez5 : http://share.ez.no/forums/setup-design/howto-jail-admin-to-a-root-node


#3

You configuration seems correct I would except the admin Siteaccess to limit on the "tree_root location id"
But maybe it has not been developed this way yet.
Let’s see if someone had this situation.


#4

Salut @Plopix,

Indeed I do the test with the super admin…
I have not yet created adminsite1 and adminsite2 accounts


#5

Hi! Just in case you are using the LegacyBridge, please make sure to disable the package system! See http://share.ez.no/community-project/security-advisories/ezsa-2018-002-the-files-uploaded-via-packages-component-are-executable

Legacy is inherently not safe out-of-the-box in this kind of multi-site setup, as the package system can be used to upload PHP scripts, which can elevate the access level of the user, or do other nefarious deeds.


#6

Hi @remy_php,
I have also tried the following solution (https://doc.ezplatform.com/en/2.1/guide/configuration/#default-page), i.e. setting ‘default_page’ for my admin siteaccesses. But it seems that it sets symfony’s ‘default_target_path’ option correctly, but then ‘RedirectToDashboardAuthenticationSuccessHandler->determineTargetUrl()’ is called which overrides ‘default_target_path’ option with value ‘ezplatform.dashboard’, i.e. symfony’s route with path ‘/dashboard’.

Has anyone has any luck??

Thanks


#7

I have the same issue, how can i fix?


#8

@remy_php
I would like editors from site1 to have content read access to node Home[2] and subtree Home Site1[100]. How can I accomplish this?
I have tried creating 2 policies:
1)Content read - node Home[2]
2)Content - read - subteee Home Site1[100]
(plus user login for relative siteaccess, content versionread, section view, content reverserelatedlist)
When editors from site1 log in to admin panel, in dashboard they can see nodes Home[2], Home Site1[100] etc
but /content/location/2 throws error:
‘An exception has been thrown during the rendering of a template (“User does not have access to ‘read’ ‘content’”)’

Any ideas?

Thanks


#9

Bonjour à tous,

@puntotuning :
Does your editor1 log on to admin1 or global admin?
If he logs on the admin1 then the Home node[2] is not in his jail.


#10

@remy_php Editor1 logs on to admin1. The problem is that if i don’t create policy
1)Content read - node Home[2]
two things happen:

1)Admin1 does not see ‘Content Structure’ menu
2)Admin1 cannot even view Home Site1[100] (i think because Home Site 1 is under Home, and admin1 does not have read access to Home).

How did you overcome this problem?

Thanks in advance


#11

I haven’t looked at this pb in a while. Which I haven’t solved on my side yet.

I created a “BO” role with the following rights:

Content 	Read 	
                            Content Type:  Folder, Landing page
                            Location:      /Media , /Home , /Users 
Content 	Versionread 	
User            Login 	
                            SiteAccess: admin, admin_site1, admin_site2,
User 	       Password  	
User 	       Selfedit  	
Section        View 	
Content        Reverserelatedlist 

I have assigned this role to all my admin user groups.
So all my admin can connect to all the BOs… It’s not terrible, but right now I’m dealing with it.

I then created a “Site Administrator” role

Content 	Read 	None 	
Content 	Versionread 	None 	
Content 	Create 	
    Content Type: Article
    Content Type of Parent: rubrique 
Content 	Create 	
    Content Type: Folder, Landing page, rubrique
    Content Type of Parent: Folder, Landing page, rubrique 

This role is assigned with limitation

User/Group Limitation
Administrateur site1 Subtree of Location: /Home/site_1_landingpage
Administrateur site1 Subtree of Location: /Media/site_1_medias
Administrateur site1 Subtree of Location: /Media/shared_medias
Administrateur site2 Subtree of Location: /Home/site_2_landingpage
Administrateur site2 Subtree of Location: /Media/site_2_medias
Administrateur site2 Subtree of Location: /Media/shared_medias

I also tried to merge the two roles to have only one and not be affected with limitation.

Despite this, I still get an error when the administrator1 tries to read location 2
http://localhost:35080/admin_1/content/location/2

An exception has been thrown during the rendering of a template (“User does not have access to ‘read’ ‘content’”).