Access control hierarchy
- Last updated on November 4, 2021 at 4:47 AM
Our article permissions system is such that essentially each level is a new gate. Think of it like entering a building, then entering a locked room in that building, then attempting to open a locked diary that's on the desk. You need each individual key to get access to the content in the diary.
Similarly, to access an article, a logged in user must satisfy the access control at all levels:
- Category
- Subcategory
- Article
If any level has restrictions, those restrictions must be passed to gain access to even peek at what’s beneath it (or get access to it in the case of an article).
e.g., if the hierarchy of category - subcategory - article tree was:
- Category - public
- Article 1 - public
- Subcategory - nobody
- Article 2 - public
Then all users will have access to "Article 1" but no user will have access to "Article 2", since they never should get passed the Subcategory level access control.
Another example:
- Category - restricted: smart group = primary
- Article 1 - public
- SubCategory - public
- Article 2 - public
- Article 3 - restricted: smart group = blue OR red
Logged out users will see nothing, since access control is applied at the top level.
A user that is in the “blue” smart group only, has access to nothing, since they didn’t satisfy the Category level restriction.
A user that is in the “primary” smart group only, has access to content that sits right inside the top level category (in this case, "Article 1"), and any public content in the subcategory (e.g., "Article 2"), but can’t access "Article 3" since that is marked as “restricted: blue”
A user that is in both the “primary” AND “blue” smart groups, has access all the way down, since they meet the criteria at each level. This also applies if the user was in both the "primary" and "red" groups, as at each individual level the rule is "OR" based.