9 May
2016
9 May
'16
9:22 a.m.
Hi devs,
while trying to figure out how to fix http://jira.xwiki.org/browse/XWIKI-13269 "
Multiple values for one permission pair handled wrong "
I ran into a question about now to resolve conflicting rights/permissions.
I guess that resolving rights conflicts assigned to the same object/level (i.e. page or
wiki) but different principal (i.e. user and a group of that user)
is not much different than resolving a conflict with rights for the same principal (as
happened in the bug report, getting two rights for the anonymous user after an upgrade
conflict)
If I understand the documentation here:
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Permission+types/
then usually "deny" takes precedence over "allow", except for the
"Special Permissions": "admin", "programming",
"register", "crate wiki" and "script".
However when I look at the implementation in org.xwiki.security.authorization.Rights
I can see the rights have a "tieResolutionPolicy", which is "ALLOW"
for "register", "admin" and "programing",
but not for "create wiki" and "script".
Is the "tieResolutionPolicy" something different than the priority order? If
not, who is right, the implementation or the documentation?
(However, no matter how the answer is, the UI needs to be updated, as it always assumes
that deny takes precedence, giving the wrong answer at times)
Thanks,
Clemens
9 May
9 May
11:43 a.m.
Hi Clement,
I am currently travelling by plane, so I cannot have a look in details now
about this issue, but I surely have an answer later. In the meantime, you
may find answers by looking at the most accurate documentation at
http://extensions.xwiki.org/xwiki/bin/view/Extension/Security+Module.
On Mon, May 9, 2016 at 9:22 AM, Clemens Klein-Robbenhaar <
c.robbenhaar(a)espresto.com> wrote:
Hi devs,
while trying to figure out how to fix
http://jira.xwiki.org/browse/XWIKI-13269 " Multiple values for one
permission pair handled wrong "
I ran into a question about now to resolve conflicting rights/permissions.
I guess that resolving rights conflicts assigned to the same object/level
(i.e. page or wiki) but different principal (i.e. user and a group of that
user)
is not much different than resolving a conflict with rights for the same
principal (as happened in the bug report, getting two rights for the
anonymous user after an upgrade conflict)
If I understand the documentation here:
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Permission+types/
then usually "deny" takes precedence over "allow", except for the
"Special
Permissions": "admin", "programming", "register",
"crate wiki" and "script".
However when I look at the implementation in
org.xwiki.security.authorization.Rights
I can see the rights have a "tieResolutionPolicy", which is "ALLOW"
for
"register", "admin" and "programing",
but not for "create wiki" and "script".
Is the "tieResolutionPolicy" something different than the priority order?
If not, who is right, the implementation or the documentation?
(However, no matter how the answer is, the UI needs to be updated, as it
always assumes that deny takes precedence, giving the wrong answer at times)
Thanks,
Clemens
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Denis Gervalle
SOFTEC sa - CEO
10 May
10 May
7:13 p.m.
Hi Denis,
thanks for the pointer!
I see that by this documentation the "Script" right indeed has a precedence
"DENY before ACCEPT",
as with the other "page related" rights (i.e., the ones one can be set on the
page level),
and that "create wiki" indeed has a "ACCEPT before DENY"
I guess for the first part the user documentation at:
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Permission+types/
should be updated - it also wrongly states that the "Script" right can only be
granted on the wiki level.
Unless someone corrects me I will do this as part of XWIKI-13269 for the next BFD;
For the other rights I will commit fixes for the UI, that currently wrongly assumes
that "DENY before ACCEPT" applies always. As I have no idea how to access the
Java "Rights" object
from the velocity templates, I will probably hardcode a duplicate of this information;
that is, unless I or someone else has a better idea.
Clemens
Hi Clement,
I am currently travelling by plane, so I cannot have a look in details now
about this issue, but I surely have an answer later. In the meantime, you
may find answers by looking at the most accurate documentation at
http://extensions.xwiki.org/xwiki/bin/view/Extension/Security+Module.
On Mon, May 9, 2016 at 9:22 AM, Clemens Klein-Robbenhaar <
c.robbenhaar(a)espresto.com> wrote:
> Hi devs,
>
> while trying to figure out how to fix
> http://jira.xwiki.org/browse/XWIKI-13269 " Multiple values for one
> permission pair handled wrong "
> I ran into a question about now to resolve conflicting rights/permissions.
> I guess that resolving rights conflicts assigned to the same object/level
> (i.e. page or wiki) but different principal (i.e. user and a group of that
> user)
> is not much different than resolving a conflict with rights for the same
> principal (as happened in the bug report, getting two rights for the
> anonymous user after an upgrade conflict)
>
> If I understand the documentation here:
>
> http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Permission+types/
>
> then usually "deny" takes precedence over "allow", except for the
"Special
> Permissions": "admin", "programming", "register",
"crate wiki" and "script".
>
> However when I look at the implementation in
> org.xwiki.security.authorization.Rights
> I can see the rights have a "tieResolutionPolicy", which is
"ALLOW" for
> "register", "admin" and "programing",
> but not for "create wiki" and "script".
>
> Is the "tieResolutionPolicy" something different than the priority order?
> If not, who is right, the implementation or the documentation?
>
>
> (However, no matter how the answer is, the UI needs to be updated, as it
> always assumes that deny takes precedence, giving the wrong answer at times)
>
>
> Thanks,
> Clemens
3101
days inactive
3102
days old
2 comments
2 participants
participants (2)
-
Clemens Klein-Robbenhaar -
Denis Gervalle