7 Jun
2012
7 Jun
'12
1:07 a.m.
On 06/06/2012 06:26 PM, Jan-Philip Loos wrote:
Sorry, my fault: I misunderstood the part with the
delete. You meant the
rights, and not the 'delete' itself.
But again to the rights hint: We double-checked the rights of the crucial
sites, with different test-users and guests (without sessions). We testes in
different browsers and even in VMs on different OS. I wrote even a small
crawler to penetrate our site more regularly and controlled. We reproduced
some guest-edits with our crawler. But we can't edit these sites when we are
moving on our site as a guest manually. So we can't reproduce it directly
and repeatable.
I'm beginning to think that it's not a rights configuration issue, but a
software problem.
One important question nobody asked so far: are you using any custom
authenticator or rights implementation, like LDAP, Kerberos or another SSO?
Another possibility is that the servlet container or a frontend server
is mangling sessions, putting the Google bot in the same session as a
valid authenticated user. Can you give us more details about your setup?
Like: Tomcat + Apache HTTPD + mod_proxy_http
We only know, edits and deletions are possible for
(crawler-)guests
sometimes under some unknown circumstances and causes, even if its not
possible for 'us', when we are guests.
I will test your extension 'Admin Tools Application' with CheckRights you
posted on the reply later. Thanks! This will be very useful for our daily
routine anyway.
--
Sergiu Dumitriu
http://purl.org/net/sergiu/