archiva-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Reil <markus.r...@mindmatics.de>
Subject Re: Access denied WebDAV repository
Date Tue, 27 Mar 2007 15:37:11 GMT
Hi Joakim,

thanks for your answer.
If there were users with less permission than guest, that would be
alright for me.
What I meant is, that even if I make the new user "Repository Observer"
he is still not able to browse the WebDAV repository. I revoked
"Repository Observer" from Guest becuase I do not want guests to be able
to browse or upload to repositories.
Do I have to validate a new user?

Thanks,
Markus

Joakim Erdfelt wrote:
> This is a confusing mess of roles ATM.
> 
> You just pointed out a flaw in the design of the security.
> 
> The roles that the Guest user has are not copied (or linked) to new users.
> 
> It is quite possible for new users to have *LESS* permission than a
> guest (anonymous) user!
> 
> I just discussed this with my partner in security crime, Jesse
> McConnell, and we are working on a solution to this oversight.
> 
> - Joakim Erdfelt
> 
> Markus Reil wrote:
>> Hi,
>>
>> I built archiva from trunk rev. 521889.
>> If I assign the role Repository Observer to Guest I can access the
>> repository but I a newly created user.
>> The user I created does not have the "Validated" flag set in the User
>> Management page. Is that the reason?
>> Then how can I validate the user? Is an E-Mail confirmation needed?
>> Unfortunately I am not able to send E-Mail from my server.
>>
>> Thanks in advance for any help.
>>
>> Best Regards,
>> Markus
>>
>>   
> 
> 


Mime
View raw message