I’m trying to tighten a little bit the permissions of our categories. I was wondering if there is any kind of inheritance from the parent category for the category administrators and the people who have the right to create events in the sub-category. After some tests, I have the feeling that not…
For example, I have a category where only groupA can create events. I create a sub-category and I’d expect that the same would apply by default to the sub-category, without any specific action but it doesn’t seem to be the case. I tried to say that the creation of events in the sub-category was restricted to listed users without listing any of them, with the hope that it would take the list from the parent category. But it also doesn’t seem to work…
Thanks for any clarification! Ididn’t find any doc on this topic but may be I just missed it…
The only permission that is always inherited is “full access” (ie management). If you have management access on an object, you have the same unrestricted access to anything inside, no matter how deeply nested (so someone with management access to the root category would be pretty much like an admin except for not having access to the admin area).
For normal (read) access, it depends on the configuration of the child objects. For example, any category (except the root category), event, etc. is set to “inheriting” by default, so it gets its access permissions from the first non-inheriting parent.
Other permissions are never inherited - so the permission to create events indeed has to be set on all categories where you want this. In our case more often than not the list of people authorized to create events is the same as the list of managers, so the event creation permission isn’t needed, or the categories are access-restricted - in that case it’s fine to not restrict event creation at all since only people with access to the category can create events in there anyway.
I wonder if event creation permission shouldn’t be inherited (or not) together with access permission. Example: if I limit event creation on a category but then create a sub-category of it, I’ll have to set it again explicitly. This is not very good in cases where many people have management permissions and not necessarily everyone knows what they’re doing…
@pferreir it was the reason for my question in fact! I don’t know if it can be changed at this point without breaking too many things, it’s up to you to decide! The current behaviour is clearly a little bit unexpected.
Since categories cannot contain both events and subcategories, I think the risk of enabling inheritance for this permission seems rather low since it’s rather unlikely that a category that’s not a leaf in the category tree has any event-creation ACL entries set.