11 Jun
2009
11 Jun
'09
8:36 p.m.
Small typo:
The check is made on whether the page that holds the groovy script was saved
*BY* *AN USER* *WHO HAS* programming rights.
Guillaume
On Thu, Jun 11, 2009 at 8:35 PM, Guillaume Lerouge <guillaume(a)xwiki.com>wrote;wrote:
Hi Dean,
On Thu, Jun 11, 2009 at 7:49 PM, Dean G Weber <Dean.G.Weber(a)raytheon.com>wrote;wrote:
--
Guillaume Lerouge
Product Manager - XWiki
Skype: wikibc
Twitter: glerouge
http://guillaumelerouge.com/
I've been struggling for a while with the
dilemma of getting a user into a
group. Let me supply some background on what we've been trying to do with
Xwiki.
We're trying to use Xwiki for an internal collaborative site. Management
has decided that users of the wiki must complete proper training. Without
the training, the user cannot add to the wiki pages.
For authentication, we've connected the wiki to our LDAP server via the
xwik.cfg file. Authenticated users are automatically placed into the
XWikiAllGroup by default. In order to accommodate management
requirements, I created a new user group... let's call it
"TrainedUsersGroup".
Once authenticated, users are placed into the Webhome page of the wiki.
I've placed Velocity script on the Webhome page to check if the user is in
the TrainedUsersGroup. If the user is not in the group, the user is
redirected to the NoAccess.WebHome page.
On the NoAccess.Webhome page another check is made to determine if the
user is in the TrainedUsersGroup. If the user is not in the group, a call
is made to a Groovy class (on another page in the Groovy namespace). The
groovy code executes a system call to grep on the Linux system running the
Xwiki against a CSV file pulled from an intranet web report. The passed
user's login (which is the same as the LDAP user id) is checked against
this file. If the returned grep output shows that the training has been
completed, the NoAccess.WebHome page will attempt to add the user to the
TrainedUsersGroup. If the user is added to the TrainedUsersGroup as
determined after another check, the user is redirected back to the
originating WebHome page.
This mechanism works great if the user accessing the pages is an admin.
However, if the user is a regular user everything except the addition to
the group works. Instead, the code to place the user in the group displays
on the page. It does not run and put the user into the TrainedUsersGroup.
This is no good for our needs in which we must restrict Xwiki access for
non-trained users.
"Instead, the code to place the user in the group displays
on the page."
*-> question:* does the wiki receive the grep output in all cases? Can you
get the output printed on the screen even if the context user isn't an
admin? If not, the problem arises earlier and you'd need to identify exactly
where it comes from.
*-> observation:* this issue is typical of lacking programming rights.
Programming rights are different from other rights in that the check is not
made on whether the current user has programming rights. The check is made
on whether the page that holds the groovy script was saved with someone
holding programming rights. This is why the check you're doing against the
visiting user doesn't work.
Programming rights work this way in order to prevent a non-authorized
person to create and execute a privileged script. Therefore what matters is
the state of the page holding your script at the point when it is being
called. What is somehow happening is that the system thinks the page holding
the script has been saved by the current user at some point and thus
displays its literal content instead of running the code.
Thus you may want to check whether your application makes XWiki think that
the context user is the one who saved the groovy page. You need to make sure
that XWiki doesn't think that the NoAccess.WebHome page holding your second
script has been saved by the current user. Check for occurences of
$doc.save() (velocity) or doc.save() (groovy) in your code and make sure
that XWiki thinks the user performing the action is an user with programming
rights.
I'm not a developer so I can't do much more for you here, hope it makes
things a bit clearer though. Good luck!
(My original goal was to connect to our Oracle database and based upon the
user id determine directly if the user has
completed the training. I've
had luck with a simple Groovy script running on my desktop and on the
Linux server. However, from within the Xwiki Groovy console or on a page,
I get no output. Therefore, I have abandoned the Oracle query check via
Groovy.)
I've been researching the Xwiki user list for weeks. I've poured over
xwiki documentation. I've peeked at wiki page source. I've done all this
in an attempt to figure out how to get a user to place himself into a
group. I've found a lot of confusing and contradicting information.
Programming rights are mentioned. The only place I found the ability to
set this right was in the xwiki administration. I can't determine if the
problem is even related to programming rights. I've put a debug statement
on the NoAccess.WebHome page to print whether the user visiting the page
has programming rights. In all cases it display that they do. Yet, only
admins can add themselves to the TrainedUsersGroup. This doesn't work for
me. I need to automatically add the visiting user to the TrainedUsersGroup
once the training has been validated.
Btw, I'm really sorry about you experiencing this frustrating experience.
Hope this email will help a bit.
*-> shameless plug:* XWiki SAS (www.xwiki.com) offers development support
services to help you when faced with such hurdles. I'm aware you might not
be in a position where you can consider this offer, but you'd have the
guarantee of getting an appropriate answer in a short timeframe (vs
community support, although it's usually pretty fast on these lists) plus
it's a great way to help the development of the XWiki project if you like
the product + well, it would have saved you days and effort thus making save
money in the end ;-)
What is the problem? Why won't the user go
into the group? Is there a
better way of doing this? Any help, code snippets or suggestions would be
appreciated.
Thanks.
Dean Weber
Sr Software Engineer II
Raytheon Technical Services Company LLC
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
Guillaume
--
Guillaume Lerouge
Product Manager - XWiki
Skype: wikibc
Twitter: glerouge
http://guillaumelerouge.com/