15 Jul
2013
15 Jul
'13
9:17 p.m.
Hi,
I'm running into some difficulties with permissions to run scripts for LDAP
users on a subwiki. I'm running XWiki 5.0.3 on Tomcat.
The subwiki has a script written with Python (and some Velocity). This
script page then gets included on many pages with the {{include}} macro.
There's another script (velocity and javascript) which uploads an
attachment to the pages with the include macro, so:
Page A - Code for the python script
Page B - Includes script from Page A
Page C - Uploads attachments to Page B
The wiki farm is configured to use LDAP authentication against an external
LDAP user database. This works fine - people can log in to the subwiki with
their external credentials, and XWiki will create a user object for them.
The problem is that when an LDAP user without programming rights uses Page
C to upload an attachment to Page B, the attachment uploads but the page
will then not display, giving the "You don't have the right to execute this
script" error. I presume this is because creating an attachment on the page
means that the page was last saved by a user with non-programming rights,
so the page no longer has the rights to execute the script.
If I manually create a non-LDAP user on the main wiki and give that user
programming rights, then log into the subwiki as that user, make a small
modification to Page B and resave, it will display correctly again.
However, I cannot seem to assign programming rights to an LDAP user - those
rights don't appear to be inherited by the subwiki. So if I have the LDAP
user log in to the main wiki, it will create a user object
(xwiki:XWiki.adminuser@testcom). I can grant that user programming rights
on the main wiki, but if I try and log in with those credentials on the
subwiki, it creates a new user (subwiki:XWiki:adminuser@testcom) - and
re-saving the page with that user doesn't fix the problem.
Is there any way to either:
a) Grant programming rights to an LDAP user, such that users who are
authorized to make changes don't break the script permissions
or
b) Make it so that a normal non-programming user can upload attachments to
a page without breaking included scripts?
Any help is appreciated,
aaron
20 Jul
20 Jul
3:40 p.m.
Bump. Short version:
1) Has anyone successfully assigned programming rights to an LDAP user on a
subwiki?
2) Is there a preferred way to allow normal users to upload attachments to
a page containing a python script without getting the "You don't have the
right to execute this script" error after the attachment is uploaded?
much thanks,
aaron
On Mon, Jul 15, 2013 at 3:17 PM, Aaron Hardy at AC <
ashtarcommunications(a)gmail.com> wrote:
Hi,
I'm running into some difficulties with permissions to run scripts for
LDAP users on a subwiki. I'm running XWiki 5.0.3 on Tomcat.
The subwiki has a script written with Python (and some Velocity). This
script page then gets included on many pages with the {{include}} macro.
There's another script (velocity and javascript) which uploads an
attachment to the pages with the include macro, so:
Page A - Code for the python script
Page B - Includes script from Page A
Page C - Uploads attachments to Page B
The wiki farm is configured to use LDAP authentication against an external
LDAP user database. This works fine - people can log in to the subwiki with
their external credentials, and XWiki will create a user object for them.
The problem is that when an LDAP user without programming rights uses Page
C to upload an attachment to Page B, the attachment uploads but the page
will then not display, giving the "You don't have the right to execute this
script" error. I presume this is because creating an attachment on the page
means that the page was last saved by a user with non-programming rights,
so the page no longer has the rights to execute the script.
If I manually create a non-LDAP user on the main wiki and give that user
programming rights, then log into the subwiki as that user, make a small
modification to Page B and resave, it will display correctly again.
However, I cannot seem to assign programming rights to an LDAP user -
those rights don't appear to be inherited by the subwiki. So if I have the
LDAP user log in to the main wiki, it will create a user object
(xwiki:XWiki.adminuser@testcom). I can grant that user programming rights
on the main wiki, but if I try and log in with those credentials on the
subwiki, it creates a new user (subwiki:XWiki:adminuser@testcom) - and
re-saving the page with that user doesn't fix the problem.
Is there any way to either:
a) Grant programming rights to an LDAP user, such that users who are
authorized to make changes don't break the script permissions
or
b) Make it so that a normal non-programming user can upload attachments to
a page without breaking included scripts?
Any help is appreciated,
aaron
21 Jul
21 Jul
7:27 p.m.
There is nothing special about LDAP users, it's XWiki users like any
other that just happen to come from LDAP. You can't give programming
right to a subwiki user or group it has to be a global (main wiki)
user/group. You can look at
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/LDAPAuthenticationUseCa…
to make sure your LDAP users are global users.
On Mon, Jul 15, 2013 at 10:17 PM, Aaron Hardy at AC
<ashtarcommunications(a)gmail.com> wrote:
Hi,
I'm running into some difficulties with permissions to run scripts for LDAP
users on a subwiki. I'm running XWiki 5.0.3 on Tomcat.
The subwiki has a script written with Python (and some Velocity). This
script page then gets included on many pages with the {{include}} macro.
There's another script (velocity and javascript) which uploads an
attachment to the pages with the include macro, so:
Page A - Code for the python script
Page B - Includes script from Page A
Page C - Uploads attachments to Page B
The wiki farm is configured to use LDAP authentication against an external
LDAP user database. This works fine - people can log in to the subwiki with
their external credentials, and XWiki will create a user object for them.
The problem is that when an LDAP user without programming rights uses Page
C to upload an attachment to Page B, the attachment uploads but the page
will then not display, giving the "You don't have the right to execute this
script" error. I presume this is because creating an attachment on the page
means that the page was last saved by a user with non-programming rights,
so the page no longer has the rights to execute the script.
If I manually create a non-LDAP user on the main wiki and give that user
programming rights, then log into the subwiki as that user, make a small
modification to Page B and resave, it will display correctly again.
However, I cannot seem to assign programming rights to an LDAP user - those
rights don't appear to be inherited by the subwiki. So if I have the LDAP
user log in to the main wiki, it will create a user object
(xwiki:XWiki.adminuser@testcom). I can grant that user programming rights
on the main wiki, but if I try and log in with those credentials on the
subwiki, it creates a new user (subwiki:XWiki:adminuser@testcom) - and
re-saving the page with that user doesn't fix the problem.
Is there any way to either:
a) Grant programming rights to an LDAP user, such that users who are
authorized to make changes don't break the script permissions
or
b) Make it so that a normal non-programming user can upload attachments to
a page without breaking included scripts?
Any help is appreciated,
aaron
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
23 Jul
23 Jul
9:48 p.m.
Thank you, that makes sense - I just needed to disable LDAP on the subwiki
to force it to look to the main wiki for the user with programming rights,
rather than create a new user (without rights) on the subwiki.
For anyone googling - I don't think there's a way to allow regular users to
upload an attachment to a page that contains a script which needs
programming rights without breaking it. So I am trying to either port my
python code to velocity, or will set up two different pages - one which
contains the attachments, and one which exclusively has the script. If
anyone has a better way of going about it, please let me know.
thanks,
aaron
On Sun, Jul 21, 2013 at 1:27 PM, Thomas Mortagne
<thomas.mortagne(a)xwiki.com>wrote;wrote:
There is nothing special about LDAP users, it's
XWiki users like any
other that just happen to come from LDAP. You can't give programming
right to a subwiki user or group it has to be a global (main wiki)
user/group. You can look at
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/LDAPAuthenticationUseCa…
to make sure your LDAP users are global users.
On Mon, Jul 15, 2013 at 10:17 PM, Aaron Hardy at AC
<ashtarcommunications(a)gmail.com> wrote:
Hi,
I'm running into some difficulties with permissions to run scripts for
LDAP
users on a subwiki. I'm running XWiki 5.0.3
on Tomcat.
The subwiki has a script written with Python (and some Velocity). This
script page then gets included on many pages with the {{include}} macro.
There's another script (velocity and javascript) which uploads an
attachment to the pages with the include macro, so:
Page A - Code for the python script
Page B - Includes script from Page A
Page C - Uploads attachments to Page B
The wiki farm is configured to use LDAP authentication against an
external
LDAP user database. This works fine - people can
log in to the subwiki
with
their external credentials, and XWiki will create
a user object for them.
The problem is that when an LDAP user without programming rights uses
Page
C to upload an attachment to Page B, the
attachment uploads but the page
will then not display, giving the "You don't have the right to execute
this
script" error. I presume this is because
creating an attachment on the
page
means that the page was last saved by a user with
non-programming rights,
so the page no longer has the rights to execute the script.
If I manually create a non-LDAP user on the main wiki and give that user
programming rights, then log into the subwiki as that user, make a small
modification to Page B and resave, it will display correctly again.
However, I cannot seem to assign programming rights to an LDAP user -
those
rights don't appear to be inherited by the
subwiki. So if I have the LDAP
user log in to the main wiki, it will create a user object
(xwiki:XWiki.adminuser@testcom). I can grant that user programming
rights
on the main wiki, but if I try and log in with
those credentials on the
subwiki, it creates a new user (subwiki:XWiki:adminuser@testcom) - and
re-saving the page with that user doesn't fix the problem.
Is there any way to either:
a) Grant programming rights to an LDAP user, such that users who are
authorized to make changes don't break the script permissions
or
b) Make it so that a normal non-programming user can upload attachments
to
a page without breaking included scripts?
Any help is appreciated,
aaron
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
4076
days inactive
4084
days old
3 comments
2 participants
participants (2)
-
Aaron Hardy at AC -
Thomas Mortagne