incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Jaquith <>
Subject Re: page ACL issue
Date Fri, 11 Jan 2008 21:19:52 GMT
This is correct behavior.

When you create an ACL for a page, it replaces the default security  
policy. So, if your jspwiki.policy says that anonymous users can view  
page Foo (or "*" for all pages), adding an ACL of [{ALLOW edit  
florian}] means that only Florian can edit Foo, and nobody else has  
any other privileges.

The reason the system works this way is quite simple. For example, if  
you wanted to prevent all ordinary users from viewing a page called  
"Payroll," you'd add an ACL that allowed the "Finance" group to edit  
it. But you wouldn't want the default "anonymous view" policy to be  
added on top of that ACL.

We probably haven't been as clear about this as we could have been...


On Jan 11, 2008, at 3:58 PM, Florian Holeczek wrote:

>> maybe add a
>> [{ALLOW view anonymous}] - to allow anonymous (I think then  
>> everyone to view)
>>> [{ALLOW edit florian}]
>>> Florian wrote this...
> Yes, that's fine (with Anonymous, case sensitive). I already knew this
> before, though :-)
> Maybe it's an "undocumented feature" that once a policy rule is  
> given, the
> default policy rules are deactivated completely?
> Regards,
> Florian

View raw message