Thanks Sergiu - I think that does help my understanding. Something still doesn't make sense about this part though: Another piece of the puzzle is that en explicit answer doesn't have to
match the current user, since the way an answer is read isn't "also allow this right for this user/group on this document/space/wiki", but as "this user/group is the one that's allowed this right on this document/space/wiki", *so if GroupA is allowed access explicitly, then anybody else that's not in GroupA is denied access implicitly.*
My space is set to "allow" for view/edit/delete for both GroupA & XWikiAllGroup, and all of the pages in that space have "blank" rights (so they "inherit" rights from the space). If I choose a page and grant *explicit *"allow" view/edit/delete access to GroupA (leaving XWikiAllGroup rights as blanks), that should exclude any non-GroupA user from accessing that page - right? If so, that is not working properly - the non-GroupA members are still able to see that page... The only way I seem to be able to prohibit "everyone-but-GroupA" from seeing a single page is by using "deny" on the page level and taking the GroupA members out of the XwikiAllGroup. I just don't seem to be able to configure this using the explicity "allow" to accomplish what you described... On Mon, Sep 24, 2012 at 3:08 AM, Sergiu Dumitriu <[email protected]> wrote:
On 09/24/2012 01:58 AM, Matt Lamoureux wrote:
Hmm. I was hoping to not have to create a separate space just for secured pages.
I'm confused about how "deny" rights can be stronger than "allow" rights. If my wiki-level permissions allow View, but have blocked edit and delete, then how can I go into the space-level rights and grant edit and delete rights there? Wouldn't the wiki-level permissions override the space-level? If not, then why wouldn't the page-level permissions override the space-level? What am I missing?
I should have been more explicit: Deny rights are always stronger that allow rights *at the same level*. Rights work on three kind of levels:
1. Document rights override space rights, which override wiki rights. 2. User rights override group rights. 3. Deny rights override allow rights.
So each rights check is done at a 3-dimensional coordinate, such as "check if there are any rights at (space, users, allow)". This process goes from the most specific to the most generic, until an *explicit* answer is found at one of these coordinates.
Another piece of the puzzle is that en explicit answer doesn't have to match the current user, since the way an answer is read isn't "also allow this right for this user/group on this document/space/wiki", but as "this user/group is the one that's allowed this right on this document/space/wiki", so if GroupA is allowed access explicitly, then anybody else that's not in GroupA is denied access implicitly.
And there are other extra factors that influence the final outcome, such as "wiki admin rights automatically grant any other right regardless of any other deny rights for the user", "a document's creator has implicit delete rights for that document", "some rights are implicitly allowed if there's NOTHING explicit said about that right anywhere, while other are implicitly denied", and so on. The only complete specification about how rights work is the source code: https://github.com/xwiki/**xwiki-platform/blob/master/** xwiki-platform-core/xwiki-**platform-oldcore/src/main/** java/com/xpn/xwiki/user/impl/**xwiki/XWikiRightServiceImpl.**java<https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java>
On Mon, Sep 24, 2012 at 1:42 AM, Sergiu Dumitriu <[email protected]> wrote:
On 09/24/2012 12:53 AM, Matt Lamoureux wrote:
Can someone please confirm that I understand user rights properly?
I have a wiki in which I have loaded all of our custom pages into a space called "1". We use LDAP, so every user is automatically added to the XWikiAllGroup. We have a small team that wants to utilize secured pages, so I created a group called GroupA. I then went through and added team members to GroupA (without removing them from XWikiAllGroup).
At the wiki level, I have granted both groups "view" access, but blocked everything else. At the "1" space level, I have granted both groups "edit" and "delete" rights
Now, in that space, there are some pages that we only want GroupA to see. I thought it was simple - I could just go into each page, block XWikiAllGroup from view/edit/delete, and grant view/edit/delete access to GroupA. Apparently that is not true - the fact that they are still in XWikiAllGroup prevents them from viewing those pages, since that group is blocked? I expected the fact that they are part of GroupA and GroupA is authorized, they would be authorized.
If that is true, what is the solution to this? What is the simplest way to secure a page from everyone except the members of GroupA? If I remove GroupA members from XWikiAllGroup, that seems to cause other issues with skins and such.
Any suggestions?
From http://markmail.org/message/****32zfathwmj3pzjre<http://markmail.org/message/**32zfathwmj3pzjre> <http://**markmail.org/message/**32zfathwmj3pzjre<http://markmail.org/message/32zfathwmj3pzjre>
"Deny rights are always stronger than allow rights. There is no group ordering, no notion of a "more specific" group."
From http://markmail.org/message/****jzxb2mtzn6kcx6yi<http://markmail.org/message/**jzxb2mtzn6kcx6yi> <http://**markmail.org/message/**jzxb2mtzn6kcx6yi<http://markmail.org/message/jzxb2mtzn6kcx6yi>
"Specifying an access right for a group automatically denies that right for those that are not in that group."
So you should just "allow" GroupA, without any "deny".
-- Sergiu Dumitriu http://purl.org/net/sergiu/ ______________________________**_________________ users mailing list [email protected] http://lists.xwiki.org/**mailman/listinfo/users<http://lists.xwiki.org/mailman/listinfo/users>