[xwiki-users] Programming rights for LDAP users on sub-wiki
Hi, I'm running into some difficulties with permissions to run scripts for LDAP users on a subwiki. I'm running XWiki 5.0.3 on Tomcat. The subwiki has a script written with Python (and some Velocity). This script page then gets included on many pages with the {{include}} macro. There's another script (velocity and javascript) which uploads an attachment to the pages with the include macro, so: Page A - Code for the python script Page B - Includes script from Page A Page C - Uploads attachments to Page B The wiki farm is configured to use LDAP authentication against an external LDAP user database. This works fine - people can log in to the subwiki with their external credentials, and XWiki will create a user object for them. The problem is that when an LDAP user without programming rights uses Page C to upload an attachment to Page B, the attachment uploads but the page will then not display, giving the "You don't have the right to execute this script" error. I presume this is because creating an attachment on the page means that the page was last saved by a user with non-programming rights, so the page no longer has the rights to execute the script. If I manually create a non-LDAP user on the main wiki and give that user programming rights, then log into the subwiki as that user, make a small modification to Page B and resave, it will display correctly again. However, I cannot seem to assign programming rights to an LDAP user - those rights don't appear to be inherited by the subwiki. So if I have the LDAP user log in to the main wiki, it will create a user object (xwiki:XWiki.adminuser@testcom). I can grant that user programming rights on the main wiki, but if I try and log in with those credentials on the subwiki, it creates a new user (subwiki:XWiki:adminuser@testcom) - and re-saving the page with that user doesn't fix the problem. Is there any way to either: a) Grant programming rights to an LDAP user, such that users who are authorized to make changes don't break the script permissions or b) Make it so that a normal non-programming user can upload attachments to a page without breaking included scripts? Any help is appreciated, aaron
Bump. Short version: 1) Has anyone successfully assigned programming rights to an LDAP user on a subwiki? 2) Is there a preferred way to allow normal users to upload attachments to a page containing a python script without getting the "You don't have the right to execute this script" error after the attachment is uploaded? much thanks, aaron On Mon, Jul 15, 2013 at 3:17 PM, Aaron Hardy at AC < [email protected]> wrote:
Hi,
I'm running into some difficulties with permissions to run scripts for LDAP users on a subwiki. I'm running XWiki 5.0.3 on Tomcat.
The subwiki has a script written with Python (and some Velocity). This script page then gets included on many pages with the {{include}} macro. There's another script (velocity and javascript) which uploads an attachment to the pages with the include macro, so:
Page A - Code for the python script Page B - Includes script from Page A Page C - Uploads attachments to Page B
The wiki farm is configured to use LDAP authentication against an external LDAP user database. This works fine - people can log in to the subwiki with their external credentials, and XWiki will create a user object for them.
The problem is that when an LDAP user without programming rights uses Page C to upload an attachment to Page B, the attachment uploads but the page will then not display, giving the "You don't have the right to execute this script" error. I presume this is because creating an attachment on the page means that the page was last saved by a user with non-programming rights, so the page no longer has the rights to execute the script.
If I manually create a non-LDAP user on the main wiki and give that user programming rights, then log into the subwiki as that user, make a small modification to Page B and resave, it will display correctly again.
However, I cannot seem to assign programming rights to an LDAP user - those rights don't appear to be inherited by the subwiki. So if I have the LDAP user log in to the main wiki, it will create a user object (xwiki:XWiki.adminuser@testcom). I can grant that user programming rights on the main wiki, but if I try and log in with those credentials on the subwiki, it creates a new user (subwiki:XWiki:adminuser@testcom) - and re-saving the page with that user doesn't fix the problem.
Is there any way to either: a) Grant programming rights to an LDAP user, such that users who are authorized to make changes don't break the script permissions or b) Make it so that a normal non-programming user can upload attachments to a page without breaking included scripts?
Any help is appreciated,
aaron
There is nothing special about LDAP users, it's XWiki users like any other that just happen to come from LDAP. You can't give programming right to a subwiki user or group it has to be a global (main wiki) user/group. You can look at http://platform.xwiki.org/xwiki/bin/view/AdminGuide/LDAPAuthenticationUseCas... to make sure your LDAP users are global users. On Mon, Jul 15, 2013 at 10:17 PM, Aaron Hardy at AC <[email protected]> wrote:
Hi,
I'm running into some difficulties with permissions to run scripts for LDAP users on a subwiki. I'm running XWiki 5.0.3 on Tomcat.
The subwiki has a script written with Python (and some Velocity). This script page then gets included on many pages with the {{include}} macro. There's another script (velocity and javascript) which uploads an attachment to the pages with the include macro, so:
Page A - Code for the python script Page B - Includes script from Page A Page C - Uploads attachments to Page B
The wiki farm is configured to use LDAP authentication against an external LDAP user database. This works fine - people can log in to the subwiki with their external credentials, and XWiki will create a user object for them.
The problem is that when an LDAP user without programming rights uses Page C to upload an attachment to Page B, the attachment uploads but the page will then not display, giving the "You don't have the right to execute this script" error. I presume this is because creating an attachment on the page means that the page was last saved by a user with non-programming rights, so the page no longer has the rights to execute the script.
If I manually create a non-LDAP user on the main wiki and give that user programming rights, then log into the subwiki as that user, make a small modification to Page B and resave, it will display correctly again.
However, I cannot seem to assign programming rights to an LDAP user - those rights don't appear to be inherited by the subwiki. So if I have the LDAP user log in to the main wiki, it will create a user object (xwiki:XWiki.adminuser@testcom). I can grant that user programming rights on the main wiki, but if I try and log in with those credentials on the subwiki, it creates a new user (subwiki:XWiki:adminuser@testcom) - and re-saving the page with that user doesn't fix the problem.
Is there any way to either: a) Grant programming rights to an LDAP user, such that users who are authorized to make changes don't break the script permissions or b) Make it so that a normal non-programming user can upload attachments to a page without breaking included scripts?
Any help is appreciated,
aaron _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
-- Thomas Mortagne
Thank you, that makes sense - I just needed to disable LDAP on the subwiki to force it to look to the main wiki for the user with programming rights, rather than create a new user (without rights) on the subwiki. For anyone googling - I don't think there's a way to allow regular users to upload an attachment to a page that contains a script which needs programming rights without breaking it. So I am trying to either port my python code to velocity, or will set up two different pages - one which contains the attachments, and one which exclusively has the script. If anyone has a better way of going about it, please let me know. thanks, aaron On Sun, Jul 21, 2013 at 1:27 PM, Thomas Mortagne <[email protected]>wrote:
There is nothing special about LDAP users, it's XWiki users like any other that just happen to come from LDAP. You can't give programming right to a subwiki user or group it has to be a global (main wiki) user/group. You can look at
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/LDAPAuthenticationUseCas... to make sure your LDAP users are global users.
On Mon, Jul 15, 2013 at 10:17 PM, Aaron Hardy at AC <[email protected]> wrote:
Hi,
I'm running into some difficulties with permissions to run scripts for LDAP users on a subwiki. I'm running XWiki 5.0.3 on Tomcat.
The subwiki has a script written with Python (and some Velocity). This script page then gets included on many pages with the {{include}} macro. There's another script (velocity and javascript) which uploads an attachment to the pages with the include macro, so:
Page A - Code for the python script Page B - Includes script from Page A Page C - Uploads attachments to Page B
The wiki farm is configured to use LDAP authentication against an external LDAP user database. This works fine - people can log in to the subwiki with their external credentials, and XWiki will create a user object for them.
The problem is that when an LDAP user without programming rights uses Page C to upload an attachment to Page B, the attachment uploads but the page will then not display, giving the "You don't have the right to execute this script" error. I presume this is because creating an attachment on the page means that the page was last saved by a user with non-programming rights, so the page no longer has the rights to execute the script.
If I manually create a non-LDAP user on the main wiki and give that user programming rights, then log into the subwiki as that user, make a small modification to Page B and resave, it will display correctly again.
However, I cannot seem to assign programming rights to an LDAP user - those rights don't appear to be inherited by the subwiki. So if I have the LDAP user log in to the main wiki, it will create a user object (xwiki:XWiki.adminuser@testcom). I can grant that user programming rights on the main wiki, but if I try and log in with those credentials on the subwiki, it creates a new user (subwiki:XWiki:adminuser@testcom) - and re-saving the page with that user doesn't fix the problem.
Is there any way to either: a) Grant programming rights to an LDAP user, such that users who are authorized to make changes don't break the script permissions or b) Make it so that a normal non-programming user can upload attachments to a page without breaking included scripts?
Any help is appreciated,
aaron _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
-- Thomas Mortagne _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
participants (2)
-
Aaron Hardy at AC -
Thomas Mortagne