9 Oct
2010
9 Oct
'10
11:55 p.m.
On 10/09/2010 03:11 PM, Dalluege, Pierre (extern) wrote:
Hello xwiki users,
I reviewed the docs, but I didn't find the right answer, maybe you can help:
If a user is in two groups A and B, how can I handle the treatment if it is
"allow" in one group and "deny" in the other?
Imagine B is the group of experts within a company A, so I would like to have "at
least one allow" but I probably have "at least one deny".
To overcome this situation at the moment, I must provide admin rights for the experts
group, which I am not interested in at all.
The second option is to have one user per role, this will lead to inconsistencies and is
not preferred too.
The thrid is to massively increase the number of groups, for each role combination one
own group. This is not an option too.
Any ideas? Thx a lot in advance Best regards
The current implementation says that Deny always wins when comparing two
rights at the same specificity (user rights vs. user rights, group
rights vs. group rights). Also, there is no order among groups, so it's
impossible to say that the rights for the "Experts" group are more
important than the rights for the "General users" group.
This is something that causes problems from time to time for admins, and
it should be fixed at some point, but it's not planned for the near future.
For the moment, you can review the rights you set so that there are
fewer Deny rights.
One tip: specifying an access right for a group automatically denies
that right for those that are not in that group. So, explicitly allowing
edit right for the Experts group means that everybody that is not in the
Experts group will be denied edit access, even if there's no explicit
rule for this. This makes it possible to solve most of the problems.
--
Sergiu Dumitriu
http://purl.org/net/sergiu/