Return-Path: Delivered-To: apmail-incubator-jspwiki-user-archive@minotaur.apache.org Received: (qmail 5719 invoked from network); 26 Mar 2010 16:59:30 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 26 Mar 2010 16:59:30 -0000 Received: (qmail 60543 invoked by uid 500); 26 Mar 2010 16:59:30 -0000 Delivered-To: apmail-incubator-jspwiki-user-archive@incubator.apache.org Received: (qmail 60525 invoked by uid 500); 26 Mar 2010 16:59:30 -0000 Mailing-List: contact jspwiki-user-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jspwiki-user@incubator.apache.org Delivered-To: mailing list jspwiki-user@incubator.apache.org Received: (qmail 60517 invoked by uid 99); 26 Mar 2010 16:59:30 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 26 Mar 2010 16:59:30 +0000 X-ASF-Spam-Status: No, hits=-1.1 required=10.0 tests=AWL,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of andrew.r.jaquith@gmail.com designates 209.85.220.212 as permitted sender) Received: from [209.85.220.212] (HELO mail-fx0-f212.google.com) (209.85.220.212) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 26 Mar 2010 16:59:24 +0000 Received: by fxm4 with SMTP id 4so675021fxm.20 for ; Fri, 26 Mar 2010 09:59:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:content-type :content-transfer-encoding; bh=QIwLHC3GdwwVS4xeMvIQDIPNHCItLSv4VMsQzlBVkGU=; b=FLYdS97/9FAykwqVC4IshuFIHFQxv/OWajnEsl0c7mnIcjeuTDnsO9mOmkE8OMNYV/ KpeuoQaNeQMAL2FdEv4hbXIA+5MF5S0Lkv3ot2l74B87n9N0p+Jkbgi2L/df4ULBEYX1 G0weFIssFNKBkH8c307+ZbuWgRHSbJuEtFIsA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=bx1pAhn0Qt7niAcO4/9wL5dmiEluzVmvB3ehBH7omSoWx+zPbqpuQMtT0IikfkOzGU EQASLKmCPJ9m9Wqmksa+RAohr24M1ODun7Kn11tdQH68bJbjhAAWA6uQnSldaXjNk0Fv +pEyDVacXEHO0Hroa0yqBGNPqg7Yl0bUyTRlM= MIME-Version: 1.0 Received: by 10.223.118.129 with HTTP; Fri, 26 Mar 2010 09:59:03 -0700 (PDT) In-Reply-To: References: Date: Fri, 26 Mar 2010 12:59:03 -0400 Received: by 10.223.4.145 with SMTP id 17mr1220011far.17.1269622743282; Fri, 26 Mar 2010 09:59:03 -0700 (PDT) Message-ID: Subject: Re: Of Permissions and ACLs From: Andrew Jaquith To: jspwiki-user@incubator.apache.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Peter, your understanding is correct. To accomplish what you want, you'd need to edit the ACLs of the protected pages to include the Editors. Or, as you pointed out, you can give the Editors the AllPermission. You can see why it is this way, right? Otherwise, ACLs would essentially be meaningless because you could override any ACL by modifying the base policy. But let me think about this a bit more. Perhaps there is something we can do in the 3.1 timeframe. Andrew On Fri, Mar 26, 2010 at 12:19 PM, Peter Schart wrote: > I'll try to keep this as brief as possible as I'm fairly sure it has a si= mple answer. Here's the situation: > > I've got a wiki that has some fairly strict permissions: > 1. Nothing is viewable unless asserted or authenticated. > 2. Nothing is editable unless user is a member of group "Editors". > 3. Non-editors belong to 1 of 3 groups (call them A, B, and C) > 4. Some pages are viewable by all 3 groups; others are only viewable to 1= of the 3 groups (via ACLs, e.g.: [{ALLOW view A}]. > > What I'd like to do (and what I think is impossible) is to allow members = of the "Editors" group to be able to view/edit anything (regardless of what= ever ACL a page might have) but not have AllPermissions (i.e.: they shouldn= 't be able to approve new users, delete pages, etc...). > > In my .policy, the Editors group has modify and rename for PagePermission= s but I still get the "You're not allowed to do that" message when trying t= o view any page with an "ALLOW view [A|B|C]" ACL. > > I *think* that the only way to override page ACLs is to give the group Al= lPermission in the .policy. =C2=A0Is this correct? If so, is there anyway t= o achieve the "Editors can edit anything but aren't admins" goal other than= adding "Editors" to every view ACL? > > Thanks for your help.