8 Mar
2013
8 Mar
'13
8:13 a.m.
Hi Matt,
In case you don't know, an explicit allow rule means deny for everyone
else. So when you give for instance 'view' rights to Group A to a
Space X it means that *only* Group A is allowed to view the pages from
space X. Thus if you use allow instead of deny then you can have an
user be part of both Group A and B, and she will have access to the
set of pages that both groups have.
In any case, removing users from XWikiAllGroup is a sign of bad
design. You should not have to do this. All valid users must be part
of XWikiAllGroup otherwise you might get into trouble later.
Hope this helps,
Marius
On Thu, Mar 7, 2013 at 9:52 PM, Matt Lamoureux <mmlmrx(a)gmail.com> wrote:
Hi all,
I am having trouble understanding user permissions again. I have Xwiki
set up for LDAP authentication, so any user who signs in gets added to the
XWikiAllGroup. For this example, let's say I have GroupA and GroupB, both
of which have their own sets of protected pages. The way it works now is
that I have to remove each user from XWikiAllGroup and add them to either
GroupA or GroupB. This way, the protected pages are set to deny to anyone
NOT a member of that particular group.
My question is: how can I get a single member of Group A to be
authorized for the GroupB protected pages? I cannot simply add them to
GroupB - they would then not be allowed access to either set of pages
because the deny rules take precedence. I could add them to a third group
called GroupsA&B, but that seems a poor solution, as this would only
increase in complexity in the future. Do I have my architecture of
protected pages set up wrong - is there are more logical way to configure
this?
Thanks in advance!
- Matt L.
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users