Hi there

I just want to find out how permissions and roles work in dotProject.

Do roles override permissions set for every user or do user permissions override the role permissions.

Some help in this regard would be much appreciated.

Tnx in advance

Think of a Role as a group of permissions. For example, for people on my staff, their role is "Project Worker" who has no access to the Admin Modules, no access to the Company module, access to the Company "CaseySoftware" and no access to certain projects within CaseySoftware.

Caseydk

A question on your comment "no access to certain projects within Caseysoftware":

How do you do this?
* By explicitly adding to the role 'projectworker' no access to these projects?
* or can users only see those projects to which they've been added as a 'contact' or task assignee?
* or by setting permissions for each of those users to which projects they have access and to which not?

Thanks in advance

Stephan

I think the third answer.
The first one isn't a good solution because a role is a template for some people. So they probably haven't the same projects when they are project worker. For the second solution, you can put the participant permission on task but for the project I don't know if it possible directly without using user admin.
For the third, you can put the role Project Worker with only access to all projects (to have the project module accessible) and specify one by one the projects you want to have access for each users. Because you put only access to all projects (and not view), you don't see them by default. With specifying access and view to the project you want, you can realise what you want.

If there is another solution, I will be very happy to know it.

Can someone know the difference between participant and protected tasks permissions ?

Hi

Tnx for the reply Caseydk. It helps a lot.

I think i'll make the roles as restrictive as possible, then just add permissions per user as needed.

Thanks again

Louis

Yes, Dyonisos,
I was also thinking in the line of the third possibility as the most efficient way to do it. This is actually how I set it up on my test environment.

However, it will mean that a project manager of a certain project will have to ask the Dotproject sysadmin to grant access to this and this user to his project (being project members), instead of being able to do this himself.
I don't want to give the project managers access to the user admin module, because then they can tamper with their own permissions and roles.

Or am I missing something?

Regards,

Stephan

Yes, Stephan.
It's a problem. Moreover, if we don't want that project leader have access to users admin, it will be very long for admin to deal with that projects and permissions. It's a choice to do. I don't know another solution.

Sorry for my bad english. If someone hates my mistakes, can he help me to improve my english ? I'm always aware of advices.

Regards,
Dyonisos

Hi dyonisos,

Thanks for the reply. It is clear for me.

We're not all native english speakers. That's what makes the world - and these virtual communities - so interesting. However, I don't think the Dotproject forums are meant for english lessons ;-).

Best regards,

Stephan

Here is a reading suggestion:

http://phpgacl.sourceforge.net/demo/phpgacl/docs/manual.html

People are using this stuff in dP and don't even know what it is...

Pedro A.

Caseydk

A question on your comment "no access to certain projects within Caseysoftware":

How do you do this?
* By explicitly adding to the role 'projectworker' no access to these projects?

(Sorry, I've been tied up this week... not literally.)

By doing this one. Since it applies to everyone and not just selected people, it made the most sense to do it here as opposed to on a per-user basis.

Besides, then if/when I add new users, the permissions will apply to them auto-magically without any modification.

Role: Project Worker

With a lot of help from the previous postings, I found that the following combination of role and user-level permissions allows me to set up a Project Worker that has access to a specified project. Within the project, only tasks to which this user is assigned can be opened (They can't be edited.). Only for tasks to which this user is assigned can the user create and edit a task log.

Item Type Status
Non-Admin Modules Access allow
Projects Access allow
Tasks Access allow

User-level Permissions:
Item Type Status
Tasks Access View allow
Task Logs Access Add Edit View allow
[company] Access View allow
[project] Access Add Edit View allow

For use with consultants, access in the "role" to non-admininstrative modules can be removed or limited.

Cheers,

Role: Project Worker - With a lot of help from the previous postings, I found that the following combination of role and user-level permissions allows me to set up a Project Worker that has access to a specified project.

Nice work, Jleone! I was working on that myself today. I wonder how many HUNDREDS of combinations you tried before coming up with the right combination :)

(Hopefully Karen will pick up your two posts today and copy them into the FAQ.)

I can understand having to keep making adjustments until you get it right but, in my opinion, it shouldn't be possible to set a combination of permissions that generates SQL errors. I had several of those while playing around with it today. I imagine you did too.

Thanks very much for posting your success!

Ciao!
MOTE

(Hopefully Karen will pick up your two posts today and copy them into the FAQ.)
MOTE

Even better anybody can add comments to any documentation pages on the http://docs.dotproject.net - there's an example permission set page there - if everyone did that then it would be helpful to all.

About file permissions, I made some experiments which I think it would be interesting to share.

I've been working around references:
http://docs.dotproject.net/tiki-index.php?page=2.0+Permissions+Examples
http://sites.sakienvirotech.com/moodle/mod/resource/view.php?id=494

I have

role 'partner':
Projects: alow access
Tasks: alow view
Files: alow access view

user 'toquinho' (role 'partner')
Company 'MPB': alow access view
Project 'Good times': alow view

Ok, able to view project file, not others with url (X!=8)
http://ipanema/dotproject/fileviewer.php?file_id=X
e.g, if the user uses an url
http://ipanema/dotproject/fileviewer.php?file_id=16
he gets an "access denied", as expected.

Now if an external consultant participates in a projet, better give her rights to add and edit files, so I tried the following setup

role 'partner':
Projects: alow access
Tasks: alow view
Files: alow access view *add edit*

user 'toquinho' (role 'partner')
Company 'MPB': alow access view
Project 'Good times': alow view

With the url
http://ipanema/dotproject/index.php?m=files&a=addedit&file_id=X
with X=any existing file_id from any project from any company, the user has access to the file information she is not supposed to see. The user is *not* able to download the file, but he *is* able to see and edit file information *and* to change the file as well as the project it belongs to, which, without html hacking, is a project the user has access to. This seems to me as a major security flaw, unless I'm missing something.

Intersting... for the checkout, with the url
http://ipanema/dotproject/index.php?m=files&a=co&file_id=29
the user sees the file checkout screen, but when she goes on he gets an "access denied" window. Not so bad, except for the file info access.

Janvrot

Hi

I don't really know, if this is the right place, because I just started my forum account, but I wanted to contribute a patch.

At our site we needed the ability to allow the specification of items when setting role permissions. So I've patched "permissions.class.php" in classes/ and "vw_role_perms.php" in modules/system/roles to include this. (As dp is based on phpgacl this was very simple)

So know you could set (Say project "abc" is an internal project, not suitable for external customers, who also work with dp):

role 'external':
Projects: allow access
Projects/abc: deny access

Where should I put this patch?

Regards,
Dennis

You can use the dPs sourceforge patches page and add a link here.

Pedro A.