Bump. Short version:
1) Has anyone successfully assigned programming rights to an LDAP user on a
subwiki?
2) Is there a preferred way to allow normal users to upload attachments to
a page containing a python script without getting the "You don't have the
right to execute this script" error after the attachment is uploaded?
much thanks,
aaron
On Mon, Jul 15, 2013 at 3:17 PM, Aaron Hardy at AC <
ashtarcommunications(a)gmail.com> wrote:
Hi,
I'm running into some difficulties with permissions to run scripts for
LDAP users on a subwiki. I'm running XWiki 5.0.3 on Tomcat.
The subwiki has a script written with Python (and some Velocity). This
script page then gets included on many pages with the {{include}} macro.
There's another script (velocity and javascript) which uploads an
attachment to the pages with the include macro, so:
Page A - Code for the python script
Page B - Includes script from Page A
Page C - Uploads attachments to Page B
The wiki farm is configured to use LDAP authentication against an external
LDAP user database. This works fine - people can log in to the subwiki with
their external credentials, and XWiki will create a user object for them.
The problem is that when an LDAP user without programming rights uses Page
C to upload an attachment to Page B, the attachment uploads but the page
will then not display, giving the "You don't have the right to execute this
script" error. I presume this is because creating an attachment on the page
means that the page was last saved by a user with non-programming rights,
so the page no longer has the rights to execute the script.
If I manually create a non-LDAP user on the main wiki and give that user
programming rights, then log into the subwiki as that user, make a small
modification to Page B and resave, it will display correctly again.
However, I cannot seem to assign programming rights to an LDAP user -
those rights don't appear to be inherited by the subwiki. So if I have the
LDAP user log in to the main wiki, it will create a user object
(xwiki:XWiki.adminuser@testcom). I can grant that user programming rights
on the main wiki, but if I try and log in with those credentials on the
subwiki, it creates a new user (subwiki:XWiki:adminuser@testcom) - and
re-saving the page with that user doesn't fix the problem.
Is there any way to either:
a) Grant programming rights to an LDAP user, such that users who are
authorized to make changes don't break the script permissions
or
b) Make it so that a normal non-programming user can upload attachments to
a page without breaking included scripts?
Any help is appreciated,
aaron