You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@lenya.apache.org by Joern Nettingsmeier <po...@uni-duisburg.de> on 2006/05/02 18:53:31 UTC

access control again...

hi *!


after some absence from lenya due to other pressing projects, it's now
time to refresh the dent in my desktop....

goal: have an "intranet" subtree in a lenya 1.4 publication that only
logged-in users belonging to a certain group can access.

first obstacle are the "inherited rights". the / has by default a
subtree policy that allows the role "visit" to group "world". is there a
way to overwrite or not inherit those for a subtree? or do i have to set
url policies for all subtrees but "intranet" by hand?

tia,


jörn



-- 
"Án nýrra verka, án nútimans, hættir fortíðin að vekja áhuga."
"Without new works, without the present the past will cease to be of
interest."
        - Ásmundur Sveinsson (1893-1982)

--
Jörn Nettingsmeier, EDV-Administrator
Institut für Politikwissenschaft
Universität Duisburg-Essen, Standort Duisburg
Mail: pol-admin@uni-duisburg.de, Telefon: 0203/379-2736



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: access control again...

Posted by Joern Nettingsmeier <po...@uni-duisburg.de>.

Doug Chestnut wrote:
> Hi Joern
> 
> Joern Nettingsmeier wrote:
>> hi *!
>>
>>
>> after some absence from lenya due to other pressing projects, it's now
>> time to refresh the dent in my desktop....
>>
>> goal: have an "intranet" subtree in a lenya 1.4 publication that only
>> logged-in users belonging to a certain group can access.
>>
>> first obstacle are the "inherited rights". the / has by default a
>> subtree policy that allows the role "visit" to group "world". is there a
>> way to overwrite or not inherit those for a subtree? or do i have to set
>> url policies for all subtrees but "intranet" by hand?

> You should be able to select the node that you want to protect in the
> site area (site tab | site tree), click on "ac live", select the group
> or user to give access to the node, and then give them the role of
> visit.  The live area gets restrictive when users|groups have the visit
> role, I don't think that this is the case for the authoring area though.

ah, thanks, it works. the "inherited rights" list led me to believe the
global "visit" was still in effect.

having such different semantics for different areas strikes me as an
ugly hack though, even if it were documented anywhere.

why not have an additional role "none" or better yet "forbidden" that
will override any previous roles for the same group or user?

currently it seems that access controls are additive and can only be
granted, not revoked. i'd like to see either revoking added or have
"default acl" semantics similar to posix acls...


- jörn






-- 
"Án nýrra verka, án nútimans, hættir fortíðin að vekja áhuga."
"Without new works, without the present the past will cease to be of
interest."
        - Ásmundur Sveinsson (1893-1982)

--
Jörn Nettingsmeier, EDV-Administrator
Institut für Politikwissenschaft
Universität Duisburg-Essen, Standort Duisburg
Mail: pol-admin@uni-duisburg.de, Telefon: 0203/379-2736


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org

Re: access control again...

Posted by Joern Nettingsmeier <po...@uni-duisburg.de>.

Doug Chestnut wrote:
> Hi Joern
> 
> Joern Nettingsmeier wrote:
>> hi *!
>>
>>
>> after some absence from lenya due to other pressing projects, it's now
>> time to refresh the dent in my desktop....
>>
>> goal: have an "intranet" subtree in a lenya 1.4 publication that only
>> logged-in users belonging to a certain group can access.
>>
>> first obstacle are the "inherited rights". the / has by default a
>> subtree policy that allows the role "visit" to group "world". is there a
>> way to overwrite or not inherit those for a subtree? or do i have to set
>> url policies for all subtrees but "intranet" by hand?

> You should be able to select the node that you want to protect in the
> site area (site tab | site tree), click on "ac live", select the group
> or user to give access to the node, and then give them the role of
> visit.  The live area gets restrictive when users|groups have the visit
> role, I don't think that this is the case for the authoring area though.

ah, thanks, it works. the "inherited rights" list led me to believe the
global "visit" was still in effect.

having such different semantics for different areas strikes me as an
ugly hack though, even if it were documented anywhere.

why not have an additional role "none" or better yet "forbidden" that
will override any previous roles for the same group or user?

currently it seems that access controls are additive and can only be
granted, not revoked. i'd like to see either revoking added or have
"default acl" semantics similar to posix acls...


- jörn






-- 
"Án nýrra verka, án nútimans, hættir fortíðin að vekja áhuga."
"Without new works, without the present the past will cease to be of
interest."
        - Ásmundur Sveinsson (1893-1982)

--
Jörn Nettingsmeier, EDV-Administrator
Institut für Politikwissenschaft
Universität Duisburg-Essen, Standort Duisburg
Mail: pol-admin@uni-duisburg.de, Telefon: 0203/379-2736


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: access control again...

Posted by Doug Chestnut <dh...@virginia.edu>.

Hi Joern

Joern Nettingsmeier wrote:
> hi *!
> 
> 
> after some absence from lenya due to other pressing projects, it's now
> time to refresh the dent in my desktop....
> 
> goal: have an "intranet" subtree in a lenya 1.4 publication that only
> logged-in users belonging to a certain group can access.
> 
> first obstacle are the "inherited rights". the / has by default a
> subtree policy that allows the role "visit" to group "world". is there a
> way to overwrite or not inherit those for a subtree? or do i have to set
> url policies for all subtrees but "intranet" by hand?
You should be able to select the node that you want to protect in the 
site area (site tab | site tree), click on "ac live", select the group 
or user to give access to the node, and then give them the role of 
visit.  The live area gets restrictive when users|groups have the visit 
role, I don't think that this is the case for the authoring area though.

HTH,
--Doug

> 
> tia,
> 
> 
> jörn
> 
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org