[xwiki-devs] Question about rights precedence
Hi devs, while trying to figure out how to fix http://jira.xwiki.org/browse/XWIKI-13269 " Multiple values for one permission pair handled wrong " I ran into a question about now to resolve conflicting rights/permissions. I guess that resolving rights conflicts assigned to the same object/level (i.e. page or wiki) but different principal (i.e. user and a group of that user) is not much different than resolving a conflict with rights for the same principal (as happened in the bug report, getting two rights for the anonymous user after an upgrade conflict) If I understand the documentation here: http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Permission+types/ then usually "deny" takes precedence over "allow", except for the "Special Permissions": "admin", "programming", "register", "crate wiki" and "script". However when I look at the implementation in org.xwiki.security.authorization.Rights I can see the rights have a "tieResolutionPolicy", which is "ALLOW" for "register", "admin" and "programing", but not for "create wiki" and "script". Is the "tieResolutionPolicy" something different than the priority order? If not, who is right, the implementation or the documentation? (However, no matter how the answer is, the UI needs to be updated, as it always assumes that deny takes precedence, giving the wrong answer at times) Thanks, Clemens
Hi Clement, I am currently travelling by plane, so I cannot have a look in details now about this issue, but I surely have an answer later. In the meantime, you may find answers by looking at the most accurate documentation at http://extensions.xwiki.org/xwiki/bin/view/Extension/Security+Module. On Mon, May 9, 2016 at 9:22 AM, Clemens Klein-Robbenhaar < [email protected]> wrote:
Hi devs,
while trying to figure out how to fix http://jira.xwiki.org/browse/XWIKI-13269 " Multiple values for one permission pair handled wrong " I ran into a question about now to resolve conflicting rights/permissions. I guess that resolving rights conflicts assigned to the same object/level (i.e. page or wiki) but different principal (i.e. user and a group of that user) is not much different than resolving a conflict with rights for the same principal (as happened in the bug report, getting two rights for the anonymous user after an upgrade conflict)
If I understand the documentation here:
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Permission+types/
then usually "deny" takes precedence over "allow", except for the "Special Permissions": "admin", "programming", "register", "crate wiki" and "script".
However when I look at the implementation in org.xwiki.security.authorization.Rights I can see the rights have a "tieResolutionPolicy", which is "ALLOW" for "register", "admin" and "programing", but not for "create wiki" and "script".
Is the "tieResolutionPolicy" something different than the priority order? If not, who is right, the implementation or the documentation?
(However, no matter how the answer is, the UI needs to be updated, as it always assumes that deny takes precedence, giving the wrong answer at times)
Thanks, Clemens _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
-- Denis Gervalle SOFTEC sa - CEO
Hi Denis, thanks for the pointer! I see that by this documentation the "Script" right indeed has a precedence "DENY before ACCEPT", as with the other "page related" rights (i.e., the ones one can be set on the page level), and that "create wiki" indeed has a "ACCEPT before DENY" I guess for the first part the user documentation at: http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Permission+types/ should be updated - it also wrongly states that the "Script" right can only be granted on the wiki level. Unless someone corrects me I will do this as part of XWIKI-13269 for the next BFD; For the other rights I will commit fixes for the UI, that currently wrongly assumes that "DENY before ACCEPT" applies always. As I have no idea how to access the Java "Rights" object from the velocity templates, I will probably hardcode a duplicate of this information; that is, unless I or someone else has a better idea. Clemens
Hi Clement,
I am currently travelling by plane, so I cannot have a look in details now about this issue, but I surely have an answer later. In the meantime, you may find answers by looking at the most accurate documentation at http://extensions.xwiki.org/xwiki/bin/view/Extension/Security+Module.
On Mon, May 9, 2016 at 9:22 AM, Clemens Klein-Robbenhaar < [email protected]> wrote:
Hi devs,
while trying to figure out how to fix http://jira.xwiki.org/browse/XWIKI-13269 " Multiple values for one permission pair handled wrong " I ran into a question about now to resolve conflicting rights/permissions. I guess that resolving rights conflicts assigned to the same object/level (i.e. page or wiki) but different principal (i.e. user and a group of that user) is not much different than resolving a conflict with rights for the same principal (as happened in the bug report, getting two rights for the anonymous user after an upgrade conflict)
If I understand the documentation here:
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Permission+types/
then usually "deny" takes precedence over "allow", except for the "Special Permissions": "admin", "programming", "register", "crate wiki" and "script".
However when I look at the implementation in org.xwiki.security.authorization.Rights I can see the rights have a "tieResolutionPolicy", which is "ALLOW" for "register", "admin" and "programing", but not for "create wiki" and "script".
Is the "tieResolutionPolicy" something different than the priority order? If not, who is right, the implementation or the documentation?
(However, no matter how the answer is, the UI needs to be updated, as it always assumes that deny takes precedence, giving the wrong answer at times)
Thanks, Clemens
participants (2)
-
Clemens Klein-Robbenhaar -
Denis Gervalle