group authorization

[sharif islam <sh...@gmail.com>]

According to this page: http://solprovider.com/lenya/security lenya
(1.2) cannot assign specific permissions to groups:

" This is a hack because Lenya 1.2.2 does not meet its own specifications:
Excerpt from http://lenya.apache.org:
Security: The access control allows you to restrict access to parts of
your site to members of a group or individuals.
 This may be possible, but it is not easy, and cannot be configured by
the typical developer (meaning I could not figure it out, and my
skills are advanced well beyond the typical developer.) "

I created a group called 'myGroup' with a member 'newUser'. Then I
created a new page under the home directory login in as admin. I gave
edit role to the group 'myGroup' for that new page. (Home->newpage). 
I was able to edit the new page only after I added 'newUser' to the
edit group. However, that also allowed me to edit the Home page. I
didn't want that. This seems to be a pretty basic functionality. I am
not sure what I am missing.

--Sharif

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: group authorization

[sharif islam <sh...@gmail.com>]

On 2/3/06, Andreas Hartmann <an...@apache.org> wrote:
>
> It should be sufficient to give them the role "visit" for the
> whole site. If they can edit something with this role, something
> else is broken (e.g., the usecase-policies or the workflow
> declaration).

ok, that worked. I had to assign the role in the authoring level for
the whole site. So:
mySite
	Authoring
		Home
		Tutorial
Go to Authoring. Click on AC Auth tab and assign the role. I still can
see all other pages, but just edit the designated ones.

--Sharif

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: group authorization

[Andreas Hartmann <an...@apache.org>]

Bob Harner wrote:

[...]

>> One drawback remains: The newUser can only login into the
>> /newpage but not into any other page. That means he has to remember the
>> page title in order to login into the system :-(
>>
>> Jann
>>
> 
> Yes, that last behavior is a real annoyance to my customers, and I
> wonder if anyone knows how to change it so that such restricted users
> can log into the top level (home page) but still only be able to edit
> their specific sub-tree.

It should be sufficient to give them the role "visit" for the
whole site. If they can edit something with this role, something
else is broken (e.g., the usecase-policies or the workflow
declaration).

-- Andreas



-- 
Andreas Hartmann
Wyona Inc.  -   Open Source Content Management   -   Apache Lenya
http://www.wyona.com                      http://lenya.apache.org
andreas.hartmann@wyona.com                     andreas@apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: group authorization

[Bob Harner <bo...@gmail.com>]

On 2/3/06, Jann Forrer <ja...@id.unizh.ch> wrote:
> On Thu, 2 Feb 2006, sharif islam wrote:
>
> > According to this page: http://solprovider.com/lenya/security lenya
> > (1.2) cannot assign specific permissions to groups:
> >
> > " This is a hack because Lenya 1.2.2 does not meet its own specifications:
> > Excerpt from http://lenya.apache.org:
> > Security: The access control allows you to restrict access to parts of
> > your site to members of a group or individuals.
> > This may be possible, but it is not easy, and cannot be configured by
> > the typical developer (meaning I could not figure it out, and my
> > skills are advanced well beyond the typical developer.) "
> >
> > I created a group called 'myGroup' with a member 'newUser'. Then I
> > created a new page under the home directory login in as admin. I gave
> > edit role to the group 'myGroup' for that new page. (Home->newpage).
> > I was able to edit the new page only after I added 'newUser' to the
> > edit group. However, that also allowed me to edit the Home page. I
> > didn't want that. This seems to be a pretty basic functionality. I am
> > not sure what I am missing.
> >
>
> I am working with lenya-1.2.x and i did use that feature quite often and
> it works for us.
> However i tried your usecase described above:
> In the defautl pub i created a new group "newGroup" and adding a
> "newUser" (this user is only in the group newGroup). Then I gave the
> newGroup the right to edit /newpage. The user newUser is no able to edit
> /newpage but could not edit the homepage. Note that i did not add the
> newUser to the edit group!
> One drawback remains: The newUser can only login into the
> /newpage but not into any other page. That means he has to remember the
> page title in order to login into the system :-(
>
> Jann
>

Yes, that last behavior is a real annoyance to my customers, and I
wonder if anyone knows how to change it so that such restricted users
can log into the top level (home page) but still only be able to edit
their specific sub-tree.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: group authorization

[Jann Forrer <ja...@id.unizh.ch>]

On Thu, 2 Feb 2006, sharif islam wrote:

> According to this page: http://solprovider.com/lenya/security lenya
> (1.2) cannot assign specific permissions to groups:
>
> " This is a hack because Lenya 1.2.2 does not meet its own specifications:
> Excerpt from http://lenya.apache.org:
> Security: The access control allows you to restrict access to parts of
> your site to members of a group or individuals.
> This may be possible, but it is not easy, and cannot be configured by
> the typical developer (meaning I could not figure it out, and my
> skills are advanced well beyond the typical developer.) "
>
> I created a group called 'myGroup' with a member 'newUser'. Then I
> created a new page under the home directory login in as admin. I gave
> edit role to the group 'myGroup' for that new page. (Home->newpage).
> I was able to edit the new page only after I added 'newUser' to the
> edit group. However, that also allowed me to edit the Home page. I
> didn't want that. This seems to be a pretty basic functionality. I am
> not sure what I am missing.
>

I am working with lenya-1.2.x and i did use that feature quite often and 
it works for us.
However i tried your usecase described above: 
In the defautl pub i created a new group "newGroup" and adding a 
"newUser" (this user is only in the group newGroup). Then I gave the 
newGroup the right to edit /newpage. The user newUser is no able to edit 
/newpage but could not edit the homepage. Note that i did not add the 
newUser to the edit group!
One drawback remains: The newUser can only login into the 
/newpage but not into any other page. That means he has to remember the 
page title in order to login into the system :-(

Jann

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: group authorization

[so...@apache.org]

On 2/2/06, sharif islam <sh...@gmail.com> wrote:
> According to this page: http://solprovider.com/lenya/security lenya
> (1.2) cannot assign specific permissions to groups:
>
> " This is a hack because Lenya 1.2.2 does not meet its own specifications:
> Excerpt from http://lenya.apache.org:
> Security: The access control allows you to restrict access to parts of
> your site to members of a group or individuals.
>  This may be possible, but it is not easy, and cannot be configured by
> the typical developer (meaning I could not figure it out, and my
> skills are advanced well beyond the typical developer.) "
>
> I created a group called 'myGroup' with a member 'newUser'. Then I
> created a new page under the home directory login in as admin. I gave
> edit role to the group 'myGroup' for that new page. (Home->newpage).
> I was able to edit the new page only after I added 'newUser' to the
> edit group. However, that also allowed me to edit the Home page. I
> didn't want that. This seems to be a pretty basic functionality. I am
> not sure what I am missing.

I love being quoted, but that page is about limiting access for
"Member's Only Sections" while reading the website.  It does not
concern authoring/editing documents (although a side effect of using
those instructions is an editor who edits a page they cannot access
will not see the previous contents, and it will not appear in the
"Authoring" menu, but the "Site" tab is a hole.)

My opinion is each Document should enforce its own security 
("adminGroup" and "group1" can read and edit, "group2" can read,
"registered" can read or not, "anonymous" can read or not); a Document
should not appear on menus if you do not have read access, and
accessing anything without read access responds "This resource does
not exist or you are not authorized to access it." (same message if
the link is bad or the resource does not exist.)

There have been improvements in Lenya's security since 1.2.2, and
hopefully someone knowledgeable about them will respond.  What version
are you using?

solprovider

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org