One enhancement that has been outstanding for quite a while is the category view enhancement detailed here:-

http://www.ventrian.com/Resources/Blog/tabid/243/articleType/ArticleView/articleId/266/Category-View-Enhancement.aspx

and in the feedback center:-

http://www.ventrian.com/Feedback/tabid/265/ctl/ViewFeedback/mid/648/FeedbackID/18/Default.aspx

There are 2 possible approaches to this solution, I am seeking some feedback on the best possible approach while trying to relate the difficulty in one approach.

1.) Module Level Security

Currently in News Articles, we have security for Approval and Submission at the module level. (e.g. you define these in admin options).

An extension of this security could be added to include the additional permissions of Summary Only (show only a summary of the article and a option to provide a link to a signup page, e.g. subscription sites) and Full Article (allow the user to link through to the complete article). This would also protect against someone directly linking to the article (which the module does not currently do).

The security matrix would look something like the attachment (security in Simple Gallery). Permissions could apply to each instance, so you could still maintain a single version for all your categories and still have some flexibility.

The difficulty for implementing this is medium.

2.) Category Level Security

Category level security is infinitely more complex, especially with the introduction of possible sub-categories (and the existing multiple categories).

This enhancement involves adding the above permissions to each category. When querying for articles, permissions are checked and articles are hidden/displayed depending on the security criteria. I do believe it could be possible, but it would really complicate matters. It involves a lot of security checking within SQL and I am concerned about the possible performance.

The difficulty for implementing this is difficult.

Conclusion

Do you have any suggestions, do you think option 1 will meet most needs? We can always begin with option 1 so at least we have some level of security available.

Scott,

Seems to me that option 1 is best for the scenario that you yourself mentioned (subscription sites). Option 2 has the broader applicability that I'd be interested in.

Given that you're already using stored procedures, would the performance hit really be that big?

Anyway, I'd' be happy to see option 1 first with option 2 on the roadmap.

Cheers,

Matt

I need some help understanding option 1. If I have the ArticleModule installed on a Tab and permission are implemented as suggested does this mean that the permissions are applied to all Articles in that instance or can I choose per Article.

As I understand it now this is the same as a global module permission making all articles in that module instance visible or not. If that is the case then this is something I don't want.

It is applied to all articles in that instance, so depending on role they would only be able to see the summary, full article, submit and approve. This works if  all your articles in that instance are subscribers based and you want to limit access on all articles.

I think I see what you are getting out, you are after a method of marking a subset of articles within an instance to only shown the summary for example. If we use option 2, you could mark those articles with a specific category, e.g. subscribers.

I am one that has been anxiously awaiting the Category option.
I agree that it must be difficult to implement since I haven't seen anyone do it properly yet.

I think it should be a separate module, that could be utilized by module developers.
It would be a great enhancement to the Calendar module as well.  I think the concept of
the Category can be expanded and applied to Users/Groups etc.   The Idea would be this.

You could have multilevel Categories.  You would have administrative ability to decide the
number of levels you could apply security to.  This effectively turns that category level into
a security group.  Then the categories below that level are still considered as traditional
categories.

So, with the Calendar Module this would allow you to create group calendars and even
subGroup Calendars, and have a number of different Categories for events for each
of the group calendars.  All managed by the category module.

Hmm, I have been thinking about the subscribers only category.

The problem comes from the questions, do you need to pass all categories permissions requirements to view articles?

For example, I run a hobby site and have categories of Planes, Trains, Automobiles, I also have a subscriber category that has my own special techniques for creating models. So for articles in the subscriber category, I only want them visible to subscribers (except for the summary).

I create an article "Making Models for Planes" and mark it with a category of Planes. Everything is OK, and visible by everyone, (or the roles I choose).

I now create an article "Making Models for Planes Extreme Course" and mark it with a category of Planes and Subscribers. If I make it pass only 1 of the categories to view, everyone will be able to see because of the "Planes" role, which it should belong too. If I make it pass "ALL" categories security check to view, it will work properly, but be a fairly complicated calculation. Multiple categories makes things complicated.

Perhaps, I should just have a flag on an individual article for securing the article, rather then via the category?

Scott,

I don't like the idea of per-article setting. Would become a headache reasonably quickly.

I think once you choose one category accessible to all, subscriber categories should not be selectable and vice versa. That way, it could be assigned among multiple categories of the same type.

Either that, or setup an admin option to control how this works, eg. Role behaviour; if an article is assigned to multiple categories, with at least one accessible to public roles and one as subscriber-only, then the options would be:

- Display all for all roles

- Display summary only for public role

- Display none for public role

On top of that you would have an admin option to allow selection of which role is considered "public" (usually All Users but some might want to configure it). Then when you are configuring categories, this role would be included by default. Deselecting it would pop up a warning that this category will no longer be public.

Or I might be talking garbage

Cheers,

Matt

This is the problem, it's difficult to explain and implement because of multiple categories. If it were just single categories, I don't think this would be a problem.

We currently have a flag for "featuring" an article, what if this flag was used with some extra settings to hide the detail of the article. This way we keep the security aspect separate from the category and we even have support already for a different template and the option to bubble it to the top if need be.

You say that tagging articles with a flag could be difficult to manage, I do have plans to re-do the approve, my articles screens, etc into 1 article manage instance. This might make it easier.

The admin settings would be something like:-

• CheckBox: Secure Featured Articles
• Permissions Per Role: View Full Article (check box list)

Would this work for you guys? 

I've implemented this functionality locally, here is what I did:-

• Add a flag called IsSecure to the articles table.
• Added the following options to the Admin Options screen:-
• Roles to view secured articles (checkbox URL)
• Secure URL (textbox) -- (a page to redirect non-secured users)

Now when a user goes to view a secured article (marked when editing/adding an article) and fails the security check against the roles configured, he/she will be redirected to the Secure URL page (if specified), or just back to the current page (if not specified, although you should specify Secure URL).

So it ended up being a relatively simple implementation once it was broken away from multiple categories, I look forward to the feedback and it will released in the morning.

Does this sounds like a good start for your current needs?

In the morning????? Can't wait that long...just kidding. I have also implemented the Feedback Module now. I slightly changed resx files so that it works on my site:

http://www.smallbizserver.net/Default.aspx?tabid=290

And the Faq in the forum: http://www.smallbizserver.net/Default.aspx?tabid=53&view=topics&forumid=43