You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lenya.apache.org by Doug Chestnut <dh...@virginia.edu> on 2005/08/01 18:50:30 UTC
Closed User Group
Hi devs,
I am looking at the docs/source trying to figure out how to allow closed
user groups on my live lenya site (default based pub). My thought is
that I can make a new restricted role (<role id="denied"/>) which would
cancel the inherited <world><role id="visitor"/></world> policy. My
guess is that I would be able to take care of the cancellation in the
policy manager? Am I on the right track, or am I missing something?
Solprovider's hack (http://solprovider.com/lenya/security) will not work
for me since I need the to allow the cms users to restrict access to
live pages. I have seen this brought up a couple times in the mailing
list, but haven't seen a fix/solution. Would be nice to fill in the
blanks on the wiki (http://wiki.apache.org/lenya/HowToClosedUserGroup).
Thanks for any advice :),
--Doug
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: Closed User Group
Posted by Doug Chestnut <dh...@virginia.edu>.
Torsten Schlabach wrote:
> Doug,
>
> I once implemented something like this and I did it pretty much the way
> you said. I started a Wiki page back them at
> http://wiki.apache.org/lenya/HowToClosedUserGroup.
>
> Please not this is about 1.2. According to Andreas, in 1.4 there will be
> a better approach of doing this, but as you are talking about a site
> that is live already I would guess you are on 1.2?
Actually it is a site that I am building in 1.4, I just wanted to
emphasize that I wanted to restrict the "live" area of my lenya pub
(which is not yet live ;) ).
I will play around with this approach, but I would love to hear about
the better approach ;)
Thanks
>
> I am just noticing, the Wiki page is not yet very complete.
>
> Regards,
> Torsten
>
> Doug Chestnut schrieb:
>
>> Hi devs,
>>
>> I am looking at the docs/source trying to figure out how to allow
>> closed user groups on my live lenya site (default based pub). My
>> thought is that I can make a new restricted role (<role id="denied"/>)
>> which would cancel the inherited <world><role id="visitor"/></world>
>> policy. My guess is that I would be able to take care of the
>> cancellation in the policy manager? Am I on the right track, or am I
>> missing something?
>>
>> Solprovider's hack (http://solprovider.com/lenya/security) will not
>> work for me since I need the to allow the cms users to restrict access
>> to live pages. I have seen this brought up a couple times in the
>> mailing list, but haven't seen a fix/solution. Would be nice to fill
>> in the blanks on the wiki
>> (http://wiki.apache.org/lenya/HowToClosedUserGroup).
>>
>> Thanks for any advice :),
>> --Doug
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
>> For additional commands, e-mail: dev-help@lenya.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
> For additional commands, e-mail: dev-help@lenya.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: Closed User Group
Posted by Torsten Schlabach <ts...@apache.org>.
Doug,
I once implemented something like this and I did it pretty much the way
you said. I started a Wiki page back them at
http://wiki.apache.org/lenya/HowToClosedUserGroup.
Please not this is about 1.2. According to Andreas, in 1.4 there will be
a better approach of doing this, but as you are talking about a site
that is live already I would guess you are on 1.2?
I am just noticing, the Wiki page is not yet very complete.
Regards,
Torsten
Doug Chestnut schrieb:
> Hi devs,
>
> I am looking at the docs/source trying to figure out how to allow closed
> user groups on my live lenya site (default based pub). My thought is
> that I can make a new restricted role (<role id="denied"/>) which would
> cancel the inherited <world><role id="visitor"/></world> policy. My
> guess is that I would be able to take care of the cancellation in the
> policy manager? Am I on the right track, or am I missing something?
>
> Solprovider's hack (http://solprovider.com/lenya/security) will not work
> for me since I need the to allow the cms users to restrict access to
> live pages. I have seen this brought up a couple times in the mailing
> list, but haven't seen a fix/solution. Would be nice to fill in the
> blanks on the wiki (http://wiki.apache.org/lenya/HowToClosedUserGroup).
>
> Thanks for any advice :),
> --Doug
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
> For additional commands, e-mail: dev-help@lenya.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: Closed User Group
Posted by Doug Chestnut <dh...@virginia.edu>.
solprovider@gmail.com wrote:
> On 8/1/05, Doug Chestnut <dh...@virginia.edu> wrote:
>
>>I am looking at the docs/source trying to figure out how to allow closed
>>user groups on my live lenya site (default based pub). My thought is
>>that I can make a new restricted role (<role id="denied"/>) which would
>>cancel the inherited <world><role id="visitor"/></world> policy. My
>>guess is that I would be able to take care of the cancellation in the
>>policy manager? Am I on the right track, or am I missing something?
>>
>>Solprovider's hack (http://solprovider.com/lenya/security) will not work
>>for me since I need the to allow the cms users to restrict access to
>>live pages. I have seen this brought up a couple times in the mailing
>>list, but haven't seen a fix/solution. Would be nice to fill in the
>>blanks on the wiki (http://wiki.apache.org/lenya/HowToClosedUserGroup).
>
>
> The InheritingPolicyManager makes it very difficult to remove access.
> It will be easier to design a proper security system from scratch than
> start with InheritingPolicyManager. I would love to hear that 1.4
> will include customizable security.
Me too :). This is really a desirable feature for me, getting tired of
maintaining .htaccess file based restrictions on my current site (not in
lenya).
>
> I called my security system a hack because it used high-level XSL
> rather than fixing the code. But from your specs, you should be able
> to do something similar. You have 2 requirements:
> 1. Allow the CMS users to choose which pages are secured.
> 2. Use security for chosen documents:
> 2.a Block access to page.
> 2.b Do not display on menu.
> 2.c Do not display in Search.
>
> The difficult part is changing the CMS GUI to allow choosing pages to
> be blocked. The webpage you mentioned has examples of everything
> else. Your new button/action in the CMS GUI should:
> - Add a tag to the content page to allow page2xhtml.xsl to replace the
> page with a message.
> - Add an attribute to the sitetree.xmap to block displaying on the
> menus in navigation/menu.xsl.
> - Create something usable to block search.
Perhaps I am missing something, but it seems that the "AC Live" tab is
the place to restrict access to areas of your site. The patch I put in
bugzilla makes the filepolicymanager (InheritingPolicyManager) only use
one policy, it's own, or closest ancestors when the request is for a
live document.
I am not using the lenya search and don't know how this might affect the
search indexer/crawler.
--Doug
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: Closed User Group
Posted by Andreas Hartmann <an...@apache.org>.
solprovider@gmail.com wrote:
[...]
> The InheritingPolicyManager makes it very difficult to remove access.
> It will be easier to design a proper security system from scratch than
> start with InheritingPolicyManager. I would love to hear that 1.4
> will include customizable security.
AFAIK nothing has changed re. access control in 1.4.
But, as always, patches are welcome.
-- Andreas
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: Closed User Group
Posted by so...@gmail.com.
On 8/1/05, Doug Chestnut <dh...@virginia.edu> wrote:
> I am looking at the docs/source trying to figure out how to allow closed
> user groups on my live lenya site (default based pub). My thought is
> that I can make a new restricted role (<role id="denied"/>) which would
> cancel the inherited <world><role id="visitor"/></world> policy. My
> guess is that I would be able to take care of the cancellation in the
> policy manager? Am I on the right track, or am I missing something?
>
> Solprovider's hack (http://solprovider.com/lenya/security) will not work
> for me since I need the to allow the cms users to restrict access to
> live pages. I have seen this brought up a couple times in the mailing
> list, but haven't seen a fix/solution. Would be nice to fill in the
> blanks on the wiki (http://wiki.apache.org/lenya/HowToClosedUserGroup).
The InheritingPolicyManager makes it very difficult to remove access.
It will be easier to design a proper security system from scratch than
start with InheritingPolicyManager. I would love to hear that 1.4
will include customizable security.
I called my security system a hack because it used high-level XSL
rather than fixing the code. But from your specs, you should be able
to do something similar. You have 2 requirements:
1. Allow the CMS users to choose which pages are secured.
2. Use security for chosen documents:
2.a Block access to page.
2.b Do not display on menu.
2.c Do not display in Search.
The difficult part is changing the CMS GUI to allow choosing pages to
be blocked. The webpage you mentioned has examples of everything
else. Your new button/action in the CMS GUI should:
- Add a tag to the content page to allow page2xhtml.xsl to replace the
page with a message.
- Add an attribute to the sitetree.xmap to block displaying on the
menus in navigation/menu.xsl.
- Create something usable to block search.
I am assuming you are using my Search. It is standard in 1.2.4, but I
do not know if it is in 1.4. You can write the secured URLs to a
file, then read that file in search-and-results.xsp:
For each line in file: protectedAreas.put(line, "requiredgroup");
If you are only using one Group, your file can contain just the URLs.
If you need multiple Groups, then record the Group and the URL, and
parse it in search-and-results.xsp. If you want to get fancy, use
XML.
You might use a Group rather than a Role. My modified login.xsp makes
Groups easy to use. Roles require much more work.
solprovider
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org