7 Mar
2013
7 Mar
'13
8:52 p.m.
Hi all,
I am having trouble understanding user permissions again. I have Xwiki
set up for LDAP authentication, so any user who signs in gets added to the
XWikiAllGroup. For this example, let's say I have GroupA and GroupB, both
of which have their own sets of protected pages. The way it works now is
that I have to remove each user from XWikiAllGroup and add them to either
GroupA or GroupB. This way, the protected pages are set to deny to anyone
NOT a member of that particular group.
My question is: how can I get a single member of Group A to be
authorized for the GroupB protected pages? I cannot simply add them to
GroupB - they would then not be allowed access to either set of pages
because the deny rules take precedence. I could add them to a third group
called GroupsA&B, but that seems a poor solution, as this would only
increase in complexity in the future. Do I have my architecture of
protected pages set up wrong - is there are more logical way to configure
this?
Thanks in advance!
- Matt L.
8 Mar
8 Mar
8:13 a.m.
Hi Matt,
In case you don't know, an explicit allow rule means deny for everyone
else. So when you give for instance 'view' rights to Group A to a
Space X it means that *only* Group A is allowed to view the pages from
space X. Thus if you use allow instead of deny then you can have an
user be part of both Group A and B, and she will have access to the
set of pages that both groups have.
In any case, removing users from XWikiAllGroup is a sign of bad
design. You should not have to do this. All valid users must be part
of XWikiAllGroup otherwise you might get into trouble later.
Hope this helps,
Marius
On Thu, Mar 7, 2013 at 9:52 PM, Matt Lamoureux <mmlmrx(a)gmail.com> wrote:
Hi all,
I am having trouble understanding user permissions again. I have Xwiki
set up for LDAP authentication, so any user who signs in gets added to the
XWikiAllGroup. For this example, let's say I have GroupA and GroupB, both
of which have their own sets of protected pages. The way it works now is
that I have to remove each user from XWikiAllGroup and add them to either
GroupA or GroupB. This way, the protected pages are set to deny to anyone
NOT a member of that particular group.
My question is: how can I get a single member of Group A to be
authorized for the GroupB protected pages? I cannot simply add them to
GroupB - they would then not be allowed access to either set of pages
because the deny rules take precedence. I could add them to a third group
called GroupsA&B, but that seems a poor solution, as this would only
increase in complexity in the future. Do I have my architecture of
protected pages set up wrong - is there are more logical way to configure
this?
Thanks in advance!
- Matt L.
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
11 Mar
11 Mar
3:09 p.m.
Hi Marius,
I, apparently, did NOT know that! It seems painfully obvious now, but
at the time we were setting this up, we thought we had to explicitly block
people from seeing those protected pages. Now I understand that the
"allow" checkbox implicitly blocks anyone not also allowed.
Thank you very much for clearing that up for me!
- Matt L.
On Fri, Mar 8, 2013 at 2:13 AM, Marius Dumitru Florea <
mariusdumitru.florea(a)xwiki.com> wrote:
Hi Matt,
In case you don't know, an explicit allow rule means deny for everyone
else. So when you give for instance 'view' rights to Group A to a
Space X it means that *only* Group A is allowed to view the pages from
space X. Thus if you use allow instead of deny then you can have an
user be part of both Group A and B, and she will have access to the
set of pages that both groups have.
In any case, removing users from XWikiAllGroup is a sign of bad
design. You should not have to do this. All valid users must be part
of XWikiAllGroup otherwise you might get into trouble later.
Hope this helps,
Marius
On Thu, Mar 7, 2013 at 9:52 PM, Matt Lamoureux <mmlmrx(a)gmail.com> wrote:
Hi all,
I am having trouble understanding user permissions again. I have
Xwiki
set up for LDAP authentication, so any user who
signs in gets added to
the
XWikiAllGroup. For this example, let's say I
have GroupA and GroupB,
both
of which have their own sets of protected pages.
The way it works now is
that I have to remove each user from XWikiAllGroup and add them to either
GroupA or GroupB. This way, the protected pages are set to deny to
anyone
NOT a member of that particular group.
My question is: how can I get a single member of Group A to be
authorized for the GroupB protected pages? I cannot simply add them to
GroupB - they would then not be allowed access to either set of pages
because the deny rules take precedence. I could add them to a third
group
called GroupsA&B, but that seems a poor
solution, as this would only
increase in complexity in the future. Do I have my architecture of
protected pages set up wrong - is there are more logical way to configure
this?
Thanks in advance!
- Matt L.
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
4260
days inactive
4264
days old
2 comments
2 participants
participants (2)
-
Marius Dumitru Florea -
Matt Lamoureux