CMS module for Phprojekt

CMS module for Phprojekt

FS#175 - Stats don't follow access permission rules.

Attached to Project: CMS module for Phprojekt
Opened by Mario A. Valdez-Ramirez (mvaldez) - Friday, 18 March 2005, 09:07 GMT-5
Last edited by Mario A. Valdez-Ramirez (mvaldez) - Friday, 18 March 2005, 12:03 GMT-5
Task Type Bug Report
Category Backend / Core
Status Assigned
Assigned To Mario A. Valdez-Ramirez (mvaldez)
Operating System All
Severity Medium
Priority High
Reported Version any
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No


Stats page shows all stats for all content without considenring the access of the user.

Expected behavior:
Only content that can be accessed by the user should be shown.
This task depends upon

Comment by Mario A. Valdez-Ramirez (mvaldez) - Friday, 18 March 2005, 09:25 GMT-5

This behavior is by design.

Initial requirements documentation is missing, but I remember that we considered:

a) To show stats of content not accessible by the current user may not compromise security as the content itself cannot be viewed.

b) The performance penalty for calculating the access to a single document would be multiplied in the stats page (access-by-role calculation is so complex that it should be done in the PHP realm, not in the SQL realm). As of today, transversing the permission matrix is very expensive (and it will get worse when full ACLs be implemented).

c) How can we display stats of a pruned document tree? For example, if most popular documents are not accesible by me, what should the stats page show? An empty page? An obscured-title/URL page? A stat page with relative stats only showing my own most popular items?

d) What if content is so sensitive that not even the title should be shown (after all, the title is content too).

So, issue "A" was considered acceptable. Issue "B" was analyzed and decided on the side of performance. Issue "C" was analyzed and I couldn't find an acceptable solution, but because we decided to use an unrestricted stat page, we didn't have the urge to reach a solution. Issue "D" is unsolved but if the information is so sensitive, it should only be shown to the users with access or it should not even make it to the stats or the title should be obscured.

I think that to keep the balance of security and performance we can provide the following changes:

1) A global configuration option to enable public/only-admin stats.

2) An option to obscure the title/URL of not accesible items. This is performance-cheap, because we calculate the stats first, then calculate the access permissions on the items to be listed.

3) Study again the performance problem regarding the usage of the permission matrix while building the stats (not after).

The only workaround is to disable stats (by setting the number of documents to shown in stats to zero). (Solution first suggested by Mark Coudriet).