jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Murray Altheim <murra...@altheim.com>
Subject Re: ACL filter
Date Wed, 11 Jun 2008 13:08:30 GMT
Weijian Fang wrote:
> Hi,
> 
> We plan to use ACL to control page access. E.g., the following ACLs
> say only members of staff group can view and edit the page:
> [{ALLOW edit StaffGroup}], where StaffGroup is a wiki group defined to
> include all members of staff.
> 
> This is convenient but causes a problem: any member of staff can edit
> this ACL (say, by mistake) to break the access control policy.
> Ideally,  we want though any member of staff can edit this page, but
> only some people with a special role can edit the ACL inside the page.
> 
> I don't know whether this is possible in JSPWiki 2.6.2 or by some
> contributed plugin/filter. (If you know, please tell me! thanks!) So I
> propose use a filter to implement this:
> 
> In the preSave method, if the current editor has the special role that
> allows him to handle ACL, the to-be-saved content is saved directly.
> Otherwise, any ACL in the to-be-saved content is ignored, and the
> current (official) ACLs are read from the current version of the page
> and appended to the to-be-saved content, before it is saved.

Hi Weijian,

I don't know if it's been done before but this sounds like a good place
to invest in some time developing a JSP for this purpose. You could use
a menu and/or other features to limit what any given user is permitted
to enter into the form or show them the permitted values. Having a bit
more code behind any complicated feature can of course add its own
issues but when security is involved this might be justified.

If you've never written a JSP before take a peek at some of those in
JSPWiki, as it might be easier than trying to accomplish this via a
plugin, particularly if you're trying to do some form entry. Plugins can
also be abused or instantiated in the wrong place, or more than once on
a page, whereas a JSP is pretty safe in that regard.

Hope this is helpful.

Murray

...........................................................................
Murray Altheim <murray07 at altheim.com>                           ===  = =
http://www.altheim.com/murray/                                     = =  ===
SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk               = =  = =

       Boundless wind and moon - the eye within eyes,
       Inexhaustible heaven and earth - the light beyond light,
       The willow dark, the flower bright - ten thousand houses,
       Knock at any door - there's one who will respond.
                                       -- The Blue Cliff Record

Mime
View raw message