Thanks Sergiu - I think that does help my
understanding. Something still
doesn't make sense about this part though:
Another piece of the puzzle is that en explicit answer doesn't have to
match the current user, since the way an answer
is read isn't "also allow
this right for this user/group on this document/space/wiki", but as "this
user/group is the one that's allowed this right on this
document/space/wiki", *so if GroupA is allowed access explicitly, then
anybody else that's not in GroupA is denied access implicitly.*
My space is set to "allow" for view/edit/delete for both GroupA &
XWikiAllGroup, and all of the pages in that space have "blank" rights (so
they "inherit" rights from the space). If I choose a page and grant *explicit
*"allow" view/edit/delete access to GroupA (leaving XWikiAllGroup rights as
blanks), that should exclude any non-GroupA user from accessing that page -
right? If so, that is not working properly - the non-GroupA members are
still able to see that page... The only way I seem to be able to prohibit
"everyone-but-GroupA" from seeing a single page is by using "deny" on
the
page level and taking the GroupA members out of the XwikiAllGroup. I just
don't seem to be able to configure this using the explicity "allow" to
accomplish what you described...
Are you 100% sure about that? This isn't what I see happening on my wiki.
Keep in mind what I said about admin rights always granting any other
right, regardless of specific space or document rights. So if a user has
wiki admin rights, it doesn't matter if he's in GroupA or not, he will
always have access rights on that document.
On Mon, Sep 24, 2012 at 3:08 AM, Sergiu Dumitriu <sergiu(a)xwiki.com> wrote:
> On 09/24/2012 01:58 AM, Matt Lamoureux wrote:
>
>> Hmm. I was hoping to not have to create a separate space just for secured
>> pages.
>>
>> I'm confused about how "deny" rights can be stronger than
"allow" rights.
>> If my wiki-level permissions allow View, but have blocked edit and delete,
>> then how can I go into the space-level rights and grant edit and delete
>> rights there? Wouldn't the wiki-level permissions override the
>> space-level? If not, then why wouldn't the page-level permissions
>> override
>> the space-level? What am I missing?
>>
>>
> I should have been more explicit: Deny rights are always stronger that
> allow rights *at the same level*. Rights work on three kind of levels:
>
> 1. Document rights override space rights, which override wiki rights.
> 2. User rights override group rights.
> 3. Deny rights override allow rights.
>
> So each rights check is done at a 3-dimensional coordinate, such as "check
> if there are any rights at (space, users, allow)". This process goes from
> the most specific to the most generic, until an *explicit* answer is found
> at one of these coordinates.
>
> Another piece of the puzzle is that en explicit answer doesn't have to
> match the current user, since the way an answer is read isn't "also allow
> this right for this user/group on this document/space/wiki", but as "this
> user/group is the one that's allowed this right on this
> document/space/wiki", so if GroupA is allowed access explicitly, then
> anybody else that's not in GroupA is denied access implicitly.
>
> And there are other extra factors that influence the final outcome, such
> as "wiki admin rights automatically grant any other right regardless of any
> other deny rights for the user", "a document's creator has implicit
delete
> rights for that document", "some rights are implicitly allowed if
there's
> NOTHING explicit said about that right anywhere, while other are implicitly
> denied", and so on. The only complete specification about how rights work
> is the source code:
>
https://github.com/xwiki/**xwiki-platform/blob/master/**
> xwiki-platform-core/xwiki-**platform-oldcore/src/main/**
>
java/com/xpn/xwiki/user/impl/**xwiki/XWikiRightServiceImpl.**java<https:…
>
>
>> On Mon, Sep 24, 2012 at 1:42 AM, Sergiu Dumitriu <sergiu(a)xwiki.com>
>> wrote:
>>
>> On 09/24/2012 12:53 AM, Matt Lamoureux wrote:
>>>
>>> Can someone please confirm that I understand user rights properly?
>>>>
>>>> I have a wiki in which I have loaded all of our custom pages into a
>>>> space
>>>> called "1". We use LDAP, so every user is automatically added
to the
>>>> XWikiAllGroup. We have a small team that wants to utilize secured
>>>> pages,
>>>> so I created a group called GroupA. I then went through and added team
>>>> members to GroupA (without removing them from XWikiAllGroup).
>>>>
>>>> At the wiki level, I have granted both groups "view" access,
but blocked
>>>> everything else.
>>>> At the "1" space level, I have granted both groups
"edit" and "delete"
>>>> rights
>>>>
>>>> Now, in that space, there are some pages that we only want GroupA to
>>>> see.
>>>> I thought it was simple - I could just go into each page, block
>>>> XWikiAllGroup from view/edit/delete, and grant view/edit/delete access
>>>> to
>>>> GroupA. Apparently that is not true - the fact that they are still in
>>>> XWikiAllGroup prevents them from viewing those pages, since that group
>>>> is
>>>> blocked? I expected the fact that they are part of GroupA and GroupA is
>>>> authorized, they would be authorized.
>>>>
>>>> If that is true, what is the solution to this? What is the simplest way
>>>> to
>>>> secure a page from everyone except the members of GroupA? If I remove
>>>> GroupA members from XWikiAllGroup, that seems to cause other issues with
>>>> skins and such.
>>>>
>>>> Any suggestions?
>>>>
>>>>
>>> From
http://markmail.org/message/****32zfathwmj3pzjre<http://markmail.org/mes…
>>>
<http://**markmail.org/message/**32zfathwmj3pzjre<http://markmail.org/message/32zfathwmj3pzjre>
>>>>
>>>
>>>
>>> "Deny rights are always stronger than allow rights. There is no group
>>> ordering, no notion of a "more specific" group."
>>>
>>> From
http://markmail.org/message/****jzxb2mtzn6kcx6yi<http://markmail.org/mes…
>>>
<http://**markmail.org/message/**jzxb2mtzn6kcx6yi<http://markmail.org/message/jzxb2mtzn6kcx6yi>
>>>>
>>>
>>>
>>> "Specifying an access right for a group automatically denies that right
>>> for those that are not in that group."
>>>
>>> So you should just "allow" GroupA, without any "deny".