Currently, website_list_for_contact is a mess, and is broken anyway in a number of ways. It is confusing, unclear and worst of all insecure. Vulnerabilities have been reported (not that that ever gets much of a response…). It should probably even have a better name like ‘website_contact_permissions’ but it has obviously grown out of the portal list getter.
I would like to rewrite it and make it:
a) clearer, so that users understand how it works and what access is granted
b) more consistent, so that users get the behaviour they expect regarding access
c) more customizable, so that users can control access to portals better (or indeed, at all)
d) more secure, with tests to confirm that access is only granted in accordance with the options selected
The problem is that I don’t know how it is supposed to work (it is too broken to be a reliable guide, and I assume there are no tests for it). So:
What is the significance of having the role ‘Supplier’ as a Website User?
This seems to turn on ‘magic’ which allows some access to some ‘Supplier’ documents. This is all automagic, is not well-document and is a serious security risk as it stands (in that it is easy to unintentionally leak data).
What is the significance of the Role Permissions on the ‘Supplier’ Role? For example, if ‘Supplier’ has read permissions on PINV but not PO, does that mean a website user:
i) can read any PINV or PO
ii) can only read POs they are linked to, but any PINV
iii) can only read POs or PINVs they are linked to (i.e. Role Permissions are pointless and confusing)
iv) can read any PINV but no PO
v) can read only PINVs they are linked to but no PO
vi) can read neither PINV or PO
Obviously its not i or vi, and probably not iv. Arguably it shouldn’t be iii, but I think it is…
What are the rules regarding access by contact? Which documents should a linked contact see when they are a Supplier, or a Customer, or both? What should a Desk user (with permissions) see: all the documents, or only ones they are linked to by contact? Is there any difference between permissions on the ‘Supplier’ role or any other role?
If I want to stop linked contacts seeing a document type, how do I do it?
If I want a linked contact to see all of a document type, how do I do that?
I don’t think you can currently do either, and it’s not possible to have both options and the contact-linked option using only Role Permissions (additional options would be required).
If the Portal for a document is disabled, should that affect access to the individual documents (i.e. should it be an additional permissions check)? This could be a way of disabling viewing of documents altogether.
Currently creating a user with an email address that matches the email_id on a contact links that contact with the user. Should this be automatic? Is it clear to users that this happens (I would argue no)? Should there be a way to turn this off? (yes). I assume this behaviour is the one intended, but it came as a dramatic surprise to our company (and led to us halting a roll-out of a portal feature) when we realised that if any of the many suppliers we had added contact details for had created an account, they would have been able to access PINVs and POs we didn’t necessarily want them to see (plus anyone else’s if they had plugged in an URL due to another bug). This broke the principle of least surprise AND the general principle that systems should be configured secure by default.
Incidentally, currently the bit in website_list_by_contact compares the contact’s ‘email_id’, rather than ‘user’ field, to match against users (which is another bug?) so whether it actually links or not is fairly irrelevant.
PS Why does accidentally raising an exception in a has_website_permission call (as currently happens due to a bug in some circumstances) seem to grant permission rather than deny it?