You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lenya.apache.org by Andreas Hartmann <an...@apache.org> on 2007/11/20 18:37:28 UTC
Site vs. user administration (bug 43915)
Hi Lenya devs,
Richard pointed out that there's a dangerous connection between site
administration rights and user administration rights. If Alice has the
admin role on a single page, she can execute the admin.* usecases under
the Admin tab.
A quite straightforward solution is to introduce two different
administration roles:
1. Website administrator (e.g. "manager")
2. Application administrator (e.g., "admin")
The application administrator role would be used in the usecase policies
to protect the admin.* usecases. We have to add a mechanism which
ensures that this role is not granted to anyone in the "AC auth" tab.
WDYT?
-- Andreas
--
Andreas Hartmann, CTO
BeCompany GmbH
http://www.becompany.ch
Tel.: +41 (0) 43 818 57 01
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: Site vs. user administration (bug 43915)
Posted by Richard Frovarp <Ri...@sendit.nodak.edu>.
Andreas Hartmann wrote:
> Hi Lenya devs,
>
> Richard pointed out that there's a dangerous connection between site
> administration rights and user administration rights. If Alice has the
> admin role on a single page, she can execute the admin.* usecases
> under the Admin tab.
>
> A quite straightforward solution is to introduce two different
> administration roles:
>
> 1. Website administrator (e.g. "manager")
> 2. Application administrator (e.g., "admin")
>
> The application administrator role would be used in the usecase
> policies to protect the admin.* usecases. We have to add a mechanism
> which ensures that this role is not granted to anyone in the "AC auth"
> tab.
>
> WDYT?
>
> -- Andreas
>
>
+1
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org