incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Weijian Fang ...@ecs.soton.ac.uk>
Subject Re: edit PagePermission implies createPages WikiPermission?
Date Thu, 14 Jan 2010 16:11:52 GMT
Still the same.

I have set log4j level to debug. After I disable the "edit"
PagePermission, when I try to create a new page, I can see in the log
a line saying that

User has no access - forbidden
(permission=("com.ecyrd.jspwiki.auth.permissions.PagePermission",
"wikiname:NewPage", "edit"))

When does jspwiki test the "edit" PagePermission instead of the
"createPages" WikiPermission?

If I enable the "edit" PagePermssion, interestingly, no information is
given in the log saying about the "edit" permission or "createpages"
permission.

Cheers,

Weijian


2010/1/14 Andrew Jaquith <andrew.r.jaquith@gmail.com>:
> Weijin --
>
> Your understanding is correct: users who have the "edit"
> PagePermission, but hot the "createPages" WikiPermission, should not
> be allowed to create new pages.
>
> The "edit" PagePermission should not imply the "createPages"
> WikiPermission. The Java code for the two classes doesn't show that
> there is any relationship between the two. If that is actually
> happening, then it is a bug.
>
> Could you verify this behavior with a completely stripped down
> security policy? (i.e., remove all commented out permissions, etc)?
>
> Andrew
>
> On Thu, Jan 14, 2010 at 10:34 AM, Weijian Fang <wf@ecs.soton.ac.uk> wrote:
>> Hi,
>>
>> In my jspwiki 2.6.2 isntallation, if I give the "edit" PagePermission
>> to somebody, e.g. Authenticated users,  but not the "createPages"
>> WikiPermission, my understanding is the users should be able to edit
>> existing pages but not create new pages.
>>
>> grant
>>  principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
>>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "view";
>>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "edit";
>>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>> "*:*", "upload";
>> //    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>> "*", "createPages";
>> };
>>
>> However, my authenticated users also get the permission to create
>> pages. In my experiments, the "upload" PagePermission does not imply
>> "createPages", but "edit" does.
>>
>> Have anyone seen this before? Where did I do wrong? Many thanks.
>>
>> Weijian
>>
>

Mime
View raw message