24 Sep
2012
24 Sep
'12
9:08 a.m.
On 09/24/2012 01:58 AM, Matt Lamoureux wrote:
Hmm. I was hoping to not have to create a separate
space just for secured
pages.
I'm confused about how "deny" rights can be stronger than "allow"
rights.
If my wiki-level permissions allow View, but have blocked edit and delete,
then how can I go into the space-level rights and grant edit and delete
rights there? Wouldn't the wiki-level permissions override the
space-level? If not, then why wouldn't the page-level permissions override
the space-level? What am I missing?
I should have been more explicit: Deny rights are always stronger that
allow rights *at the same level*. Rights work on three kind of levels:
1. Document rights override space rights, which override wiki rights.
2. User rights override group rights.
3. Deny rights override allow rights.
So each rights check is done at a 3-dimensional coordinate, such as
"check if there are any rights at (space, users, allow)". This process
goes from the most specific to the most generic, until an *explicit*
answer is found at one of these coordinates.
Another piece of the puzzle is that en explicit answer doesn't have to
match the current user, since the way an answer is read isn't "also
allow this right for this user/group on this document/space/wiki", but
as "this user/group is the one that's allowed this right on this
document/space/wiki", so if GroupA is allowed access explicitly, then
anybody else that's not in GroupA is denied access implicitly.
And there are other extra factors that influence the final outcome, such
as "wiki admin rights automatically grant any other right regardless of
any other deny rights for the user", "a document's creator has implicit
delete rights for that document", "some rights are implicitly allowed if
there's NOTHING explicit said about that right anywhere, while other are
implicitly denied", and so on. The only complete specification about how
rights work is the source code:
https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwi…
On Mon, Sep 24, 2012 at 1:42 AM, Sergiu Dumitriu <sergiu(a)xwiki.com> wrote:
> On 09/24/2012 12:53 AM, Matt Lamoureux wrote:
>
>> Can someone please confirm that I understand user rights properly?
>>
>> I have a wiki in which I have loaded all of our custom pages into a space
>> called "1". We use LDAP, so every user is automatically added to the
>> XWikiAllGroup. We have a small team that wants to utilize secured pages,
>> so I created a group called GroupA. I then went through and added team
>> members to GroupA (without removing them from XWikiAllGroup).
>>
>> At the wiki level, I have granted both groups "view" access, but
blocked
>> everything else.
>> At the "1" space level, I have granted both groups "edit" and
"delete"
>> rights
>>
>> Now, in that space, there are some pages that we only want GroupA to see.
>> I thought it was simple - I could just go into each page, block
>> XWikiAllGroup from view/edit/delete, and grant view/edit/delete access to
>> GroupA. Apparently that is not true - the fact that they are still in
>> XWikiAllGroup prevents them from viewing those pages, since that group is
>> blocked? I expected the fact that they are part of GroupA and GroupA is
>> authorized, they would be authorized.
>>
>> If that is true, what is the solution to this? What is the simplest way
>> to
>> secure a page from everyone except the members of GroupA? If I remove
>> GroupA members from XWikiAllGroup, that seems to cause other issues with
>> skins and such.
>>
>> Any suggestions?
>>
>
> From
http://markmail.org/message/**32zfathwmj3pzjre<http://markmail.org/messa…
>
> "Deny rights are always stronger than allow rights. There is no group
> ordering, no notion of a "more specific" group."
>
> From
http://markmail.org/message/**jzxb2mtzn6kcx6yi<http://markmail.org/messa…
>
> "Specifying an access right for a group automatically denies that right
> for those that are not in that group."
>
> So you should just "allow" GroupA, without any "deny".
--
Sergiu Dumitriu
http://purl.org/net/sergiu/