Thanks Sergiu - I think that does help my understanding. Something still
doesn't make sense about this part though:
Another piece of the puzzle is that en explicit answer doesn't have to
match the current user, since the way an answer is
read isn't "also allow
this right for this user/group on this document/space/wiki", but as "this
user/group is the one that's allowed this right on this
document/space/wiki", *so if GroupA is allowed access explicitly, then
anybody else that's not in GroupA is denied access implicitly.*
My space is set to "allow" for view/edit/delete for both GroupA &
XWikiAllGroup, and all of the pages in that space have "blank" rights (so
they "inherit" rights from the space). If I choose a page and grant *explicit
*"allow" view/edit/delete access to GroupA (leaving XWikiAllGroup rights as
blanks), that should exclude any non-GroupA user from accessing that page -
right? If so, that is not working properly - the non-GroupA members are
still able to see that page... The only way I seem to be able to prohibit
"everyone-but-GroupA" from seeing a single page is by using "deny" on
the
page level and taking the GroupA members out of the XwikiAllGroup. I just
don't seem to be able to configure this using the explicity "allow" to
accomplish what you described...
On Mon, Sep 24, 2012 at 3:08 AM, Sergiu Dumitriu <sergiu(a)xwiki.com> wrote:
On 09/24/2012 01:58 AM, Matt Lamoureux wrote:
Hmm. I was hoping to not have to create a
separate space just for secured
pages.
I'm confused about how "deny" rights can be stronger than "allow"
rights.
If my wiki-level permissions allow View, but have blocked edit and delete,
then how can I go into the space-level rights and grant edit and delete
rights there? Wouldn't the wiki-level permissions override the
space-level? If not, then why wouldn't the page-level permissions
override
the space-level? What am I missing?
I should have been more explicit: Deny rights are always stronger that
allow rights *at the same level*. Rights work on three kind of levels:
1. Document rights override space rights, which override wiki rights.
2. User rights override group rights.
3. Deny rights override allow rights.
So each rights check is done at a 3-dimensional coordinate, such as "check
if there are any rights at (space, users, allow)". This process goes from
the most specific to the most generic, until an *explicit* answer is found
at one of these coordinates.
Another piece of the puzzle is that en explicit answer doesn't have to
match the current user, since the way an answer is read isn't "also allow
this right for this user/group on this document/space/wiki", but as "this
user/group is the one that's allowed this right on this
document/space/wiki", so if GroupA is allowed access explicitly, then
anybody else that's not in GroupA is denied access implicitly.
And there are other extra factors that influence the final outcome, such
as "wiki admin rights automatically grant any other right regardless of any
other deny rights for the user", "a document's creator has implicit delete
rights for that document", "some rights are implicitly allowed if there's
NOTHING explicit said about that right anywhere, while other are implicitly
denied", and so on. The only complete specification about how rights work
is the source code:
https://github.com/xwiki/**xwiki-platform/blob/master/**
xwiki-platform-core/xwiki-**platform-oldcore/src/main/**
java/com/xpn/xwiki/user/impl/**xwiki/XWikiRightServiceImpl.**java<https:…
On Mon, Sep 24, 2012 at 1:42 AM, Sergiu Dumitriu
<sergiu(a)xwiki.com>
wrote:
On 09/24/2012 12:53 AM, Matt Lamoureux wrote:
Can someone please confirm that I understand user rights properly?
I have a wiki in which I have loaded all of our custom pages into a
space
called "1". We use LDAP, so every user is automatically added to the
XWikiAllGroup. We have a small team that wants to utilize secured
pages,
so I created a group called GroupA. I then went through and added team
members to GroupA (without removing them from XWikiAllGroup).
At the wiki level, I have granted both groups "view" access, but blocked
everything else.
At the "1" space level, I have granted both groups "edit" and
"delete"
rights
Now, in that space, there are some pages that we only want GroupA to
see.
I thought it was simple - I could just go into each page, block
XWikiAllGroup from view/edit/delete, and grant view/edit/delete access
to
GroupA. Apparently that is not true - the fact that they are still in
XWikiAllGroup prevents them from viewing those pages, since that group
is
blocked? I expected the fact that they are part of GroupA and GroupA is
authorized, they would be authorized.
If that is true, what is the solution to this? What is the simplest way
to
secure a page from everyone except the members of GroupA? If I remove
GroupA members from XWikiAllGroup, that seems to cause other issues with
skins and such.
Any suggestions?
From
http://markmail.org/message/****32zfathwmj3pzjre<http://markmail.org/mes…
<http://**markmail.org/message/**32zfathwmj3pzjre<http://markmail.org/message/32zfathwmj3pzjre>
"Deny rights are always stronger than allow rights. There is no group
ordering, no notion of a "more specific" group."
From
http://markmail.org/message/****jzxb2mtzn6kcx6yi<http://markmail.org/mes…
<http://**markmail.org/message/**jzxb2mtzn6kcx6yi<http://markmail.org/message/jzxb2mtzn6kcx6yi>
"Specifying an access right for a group automatically denies that right
for those that are not in that group."
So you should just "allow" GroupA, without any "deny".
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
______________________________**_________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/**mailman/listinfo/users<http://lists.xwiki.org/m…