You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lenya.apache.org by ne...@apache.org on 2007/07/13 17:55:53 UTC
svn commit: r556049 - in
/lenya/trunk/src/pubs/default/config/access-control: passwd/session.rml
policies/authoring/subtree-policy.acml usecase-policies.xml
Author: nettings
Date: Fri Jul 13 08:55:52 2007
New Revision: 556049
URL: http://svn.apache.org/viewvc?view=rev&rev=556049
Log:
introduce a session role into the default publication.
everybody (aka <world/>) gets the session role in authoring/.
it allows access to ac.login (not really, since it is sneaked past the
authorizer), ac.logout and admin.aboutLenya. all these should be
available to everyone, always.
evil-minded people can still remove them via the admin gui, but they get
what they deserve.
Added:
lenya/trunk/src/pubs/default/config/access-control/passwd/session.rml
Modified:
lenya/trunk/src/pubs/default/config/access-control/policies/authoring/subtree-policy.acml
lenya/trunk/src/pubs/default/config/access-control/usecase-policies.xml
Added: lenya/trunk/src/pubs/default/config/access-control/passwd/session.rml
URL: http://svn.apache.org/viewvc/lenya/trunk/src/pubs/default/config/access-control/passwd/session.rml?view=auto&rev=556049
==============================================================================
--- lenya/trunk/src/pubs/default/config/access-control/passwd/session.rml (added)
+++ lenya/trunk/src/pubs/default/config/access-control/passwd/session.rml Fri Jul 13 08:55:52 2007
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<!-- $Id$ -->
+
+<role class="org.apache.lenya.ac.file.FileRole" id="session"/>
Modified: lenya/trunk/src/pubs/default/config/access-control/policies/authoring/subtree-policy.acml
URL: http://svn.apache.org/viewvc/lenya/trunk/src/pubs/default/config/access-control/policies/authoring/subtree-policy.acml?view=diff&rev=556049&r1=556048&r2=556049
==============================================================================
--- lenya/trunk/src/pubs/default/config/access-control/policies/authoring/subtree-policy.acml (original)
+++ lenya/trunk/src/pubs/default/config/access-control/policies/authoring/subtree-policy.acml Fri Jul 13 08:55:52 2007
@@ -31,5 +31,10 @@
<group id="admin">
<role id="admin" method="grant"/>
</group>
+
+ <!-- the "session" role grants access to login, logout and aboutLenya -->
+ <world>
+ <role id="session" method="grant"/>
+ </world>
</policy>
Modified: lenya/trunk/src/pubs/default/config/access-control/usecase-policies.xml
URL: http://svn.apache.org/viewvc/lenya/trunk/src/pubs/default/config/access-control/usecase-policies.xml?view=diff&rev=556049&r1=556048&r2=556049
==============================================================================
--- lenya/trunk/src/pubs/default/config/access-control/usecase-policies.xml (original)
+++ lenya/trunk/src/pubs/default/config/access-control/usecase-policies.xml Fri Jul 13 08:55:52 2007
@@ -20,6 +20,17 @@
<!--+++NOTE+++ The usecase list was initialized using modules/usecase-impl/xslt/initUsecasePolicies.xsl.-->
<usecases xmlns="http://apache.org/cocoon/lenya/ac/1.0">
+
+ <usecase id="ac.logout">
+ <role id="session" method="grant"/>
+ </usecase>
+ <usecase id="ac.login">
+ <role id="session" method="grant"/>
+ </usecase>
+ <usecase id="admin.aboutLenya">
+ <role id="session" method="grant"/>
+ </usecase>
+
<usecase id="bxe.edit">
<role id="admin" method="grant"/>
<role id="edit" method="grant"/>
@@ -200,12 +211,6 @@
<usecase id="admin.usecases">
<role id="admin" method="grant"/>
</usecase>
- <usecase id="admin.aboutLenya">
- <role id="admin" method="grant"/>
- <role id="edit" method="grant"/>
- <role id="review" method="grant"/>
- <role id="visit" method="grant"/>
- </usecase>
<usecase id="admin.addGroup">
<role id="admin" method="grant"/>
</usecase>
@@ -327,12 +332,6 @@
<usecase id="kupu.edit">
<role id="admin" method="grant"/>
<role id="edit" method="grant"/>
- </usecase>
- <usecase id="ac.logout">
- <role id="admin" method="grant"/>
- <role id="edit" method="grant"/>
- <role id="review" method="grant"/>
- <role id="visit" method="grant"/>
</usecase>
<usecase id="resource.upload">
<role id="admin" method="grant"/>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@lenya.apache.org
For additional commands, e-mail: commits-help@lenya.apache.org
Re: svn commit: r556049 - in /lenya/trunk/src/pubs/default/config/access-control:
passwd/session.rml policies/authoring/subtree-policy.acml usecase-policies.xml
Posted by Jörn Nettingsmeier <ne...@apache.org>.
Joern Nettingsmeier wrote:
> Andreas Hartmann wrote:
>> Hi Jörn,
>>
>> Since this commit there's no need to log in anymore to view the
>> authoring area (reproducable on the zone demo). I hope there is
>> a better solution to the problem :)
>
> ouch!
>
> that is quite embarrassing... i should have tested that.
> however, i don't really see how this came about - looks like a bug in
> the underlying ac code. will have to check...
>
> sorry for this fuckup,
the bug is in the ac code.
my naive assumption was that usecases are authorized according to the
usecase-policies.xml file, which maps usecases to roles.
roles are mapped to accreditables using the subtree-policy.xml files,
right? and then the usecase authorizer checks if a required role is held
for the requested document and usecase.
so far so good.
i further assumed that the right to visit pages is handled by the
"visit" role. based on this assumption i created the patch.
now here is the function that (iiuc) takes care of authorization:
protected boolean authorizePolicy(
Identity identity,
Request request,
String webappUrl)
throws AccessControlException {
Role[] roles =
getPolicyManager().getGrantedRoles(getAccreditableManager(), identity,
webappUrl);
saveRoles(request, roles);
return roles.length > 0;
}
which to me sounds like "hey, you have any old role? fine, come on in."
even if the assigned role is "fuckoff", or, as in this case, "session".
this is really really wrong!
the authorizer that is invoked when documents are accessed needs to
check for a particular role "visit", or maybe (since we are in
authoring), for "visit OR admin OR review OR edit" (although i'd prefer
to add an explicit "visit" role to all people who will need to use the
authoring area), not just for roles.length > 0.
the assumption that users will not create any other roles and we can cut
corners like this is obviously ill-advised. :-D
sorry, but i can't fix this one myself since i have not yet found my way
around the new ac code. anyone else?
i'm adding this as a blocker bug for now.
--
Jörn Nettingsmeier
Kurt is up in heaven now.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: svn commit: r556049 - in /lenya/trunk/src/pubs/default/config/access-control:
passwd/session.rml policies/authoring/subtree-policy.acml usecase-policies.xml
Posted by Joern Nettingsmeier <ne...@folkwang-hochschule.de>.
Andreas Hartmann wrote:
> Hi Jörn,
>
> nettings@apache.org schrieb:
>> Author: nettings
>> Date: Fri Jul 13 08:55:52 2007
>> New Revision: 556049
>
> [...]
>
>> Modified: lenya/trunk/src/pubs/default/config/access-control/policies/authoring/subtree-policy.acml
>
> [...]
>
>> + <!-- the "session" role grants access to login, logout and aboutLenya -->
>> + <world>
>> + <role id="session" method="grant"/>
>> + </world>
>
> Since this commit there's no need to log in anymore to view the
> authoring area (reproducable on the zone demo). I hope there is
> a better solution to the problem :)
ouch!
that is quite embarrassing... i should have tested that.
however, i don't really see how this came about - looks like a bug in
the underlying ac code. will have to check...
sorry for this fuckup,
jörn
--
jörn nettingsmeier
home://germany/45128 essen/lortzingstr. 11/
http://spunk.dnsalias.org
phone://+49/201/491621
Kurt is up in Heaven now.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: svn commit: r556049 - in /lenya/trunk/src/pubs/default/config/access-control:
passwd/session.rml policies/authoring/subtree-policy.acml usecase-policies.xml
Posted by Andreas Hartmann <an...@apache.org>.
Hi Jörn,
nettings@apache.org schrieb:
> Author: nettings
> Date: Fri Jul 13 08:55:52 2007
> New Revision: 556049
[...]
> Modified: lenya/trunk/src/pubs/default/config/access-control/policies/authoring/subtree-policy.acml
[...]
> + <!-- the "session" role grants access to login, logout and aboutLenya -->
> + <world>
> + <role id="session" method="grant"/>
> + </world>
Since this commit there's no need to log in anymore to view the
authoring area (reproducable on the zone demo). I hope there is
a better solution to the problem :)
-- Andreas
--
Andreas Hartmann, CTO
BeCompany GmbH
http://www.becompany.ch
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org