incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Schart <p...@goodinassociates.com>
Subject Re: Of Permissions and ACLs
Date Fri, 26 Mar 2010 17:13:28 GMT
Thanks for the reply and confirmation. I suppose I see your point, to an extent... It could
certainly cause some confusion if you weren't careful with your policy and group assignments,
but -- and perhaps I'm just biased here ;) -- to me it seems like the policy for a *Group*
should override an ACL. Or perhaps there could be another "special purpose" permission similar
to AllPermission but strictly for view/edit stuff (no other admin-like capabilities). Obviously,
you're in a better position to think through the ramifications than am I, so I will defer
to your decision.

Thanks again!


> Peter, your understanding is correct. To accomplish what you want,
> you'd need to edit the ACLs of the protected pages to include the
> Editors. Or, as you pointed out, you can give the Editors the
> AllPermission.
> 
> You can see why it is this way, right? Otherwise, ACLs would
> essentially be meaningless because you could override any ACL by
> modifying the base policy. But let me think about this a bit more.
> Perhaps there is something we can do in the 3.1 timeframe.
> 
> Andrew
> 
> On Fri, Mar 26, 2010 at 12:19 PM, Peter Schart
> <pete@goodinassociates.com> wrote:
>> I'll try to keep this as brief as possible as I'm fairly sure it has a simple answer.
Here's the situation:
>> 
>> I've got a wiki that has some fairly strict permissions:
>> 1. Nothing is viewable unless asserted or authenticated.
>> 2. Nothing is editable unless user is a member of group "Editors".
>> 3. Non-editors belong to 1 of 3 groups (call them A, B, and C)
>> 4. Some pages are viewable by all 3 groups; others are only viewable to 1 of the
3 groups (via ACLs, e.g.: [{ALLOW view A}].
>> 
>> What I'd like to do (and what I think is impossible) is to allow members of the "Editors"
group to be able to view/edit anything (regardless of whatever ACL a page might have) but
not have AllPermissions (i.e.: they shouldn't be able to approve new users, delete pages,
etc...).
>> 
>> In my .policy, the Editors group has modify and rename for PagePermissions but I
still get the "You're not allowed to do that" message when trying to view any page with an
"ALLOW view [A|B|C]" ACL.
>> 
>> I *think* that the only way to override page ACLs is to give the group AllPermission
in the .policy.  Is this correct? If so, is there anyway to achieve the "Editors can edit
anything but aren't admins" goal other than adding "Editors" to every view ACL?
>> 
>> Thanks for your help.


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message