You are viewing a plain text version of this content. The canonical link for it is here.
Posted to slide-user@jakarta.apache.org by Mark Papiani <mp...@hotmail.com> on 2001/05/23 17:51:10 UTC
Can other users(roles) delete files locked by different user?
Hi,
I am using 3 clients to my FileContentStore slide install - Dav Explorer,
Web Folders, DreamWeaver.
I have tried logging into the slide server as guest from one client and root
from another. I try locking a resource from my root user.
I then try to delete the resource from my guest user client. The resource
gets deleted. I did not expect this.
I tried locking a resource from my guest logon and then use DavExplorer to
get the lock properties. These said that the resource had been locked by
root not guest as per my logon. Is this why guest was able to delete a
resource locked by root? If so, any thoughts why my guest user looks like
root? Some config files are shown below.
Thanks
Mark
tomcat-users.xml, Domain.xml, web.xml files:
tomcat-users.xml
----------------
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
<user name="guest" password="guest" roles="tomcat,guest" />
<user name="root" password="root" roles="tomcat,root" />
</tomcat-users>
Domain.xml
----------
<!-- Paths configuration -->
<userspath>/users</userspath>
<guestpath>guest</guestpath>
<filespath></filespath>
<parameter name="dav">true</parameter>
<parameter name="standalone">true</parameter>
<!-- Roles definition -->
<role name="root">slideroles.basic.RootRole</role>
<role name="user">slideroles.basic.UserRole</role>
<role name="guest">slideroles.basic.GuestRole</role>
<data>
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/">
<permission action="/actions" subject="root"/>
<permission action="/actions/read" subject="user"
inheritable="false"/>
<permission action="/actions/read" subject="nobody"
inheritable="false"/>
<!-- /users represents the unauthenticated user -->
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/users">
<permission action="/actions" subject="~"/>
<permission action="/actions" subject="guest"
inheritable="true" negative="true"/>
<permission action="/actions/read" subject="user"
inheritable="false"/>
<!-- Permission group example -->
<objectnode classname="org.apache.slide.structure.GroupNode"
uri="/users/groupA">
<objectnode classname="org.apache.slide.structure.LinkNode"
uri="/users/groupA/john" linkedUri="/users/john" />
<objectnode classname="org.apache.slide.structure.LinkNode"
uri="/users/groupA/root" linkedUri="/users/root" />
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/users/groupA/singleGroupMember" />
</objectnode>
<!-- /users/root represents the administrator -->
<objectnode classname="slideroles.basic.RootRoleImpl"
uri="/users/root">
<revision>
<property name="password">root</property>
</revision>
</objectnode>
<!-- /users/john represents an authenticated user -->
<objectnode classname="slideroles.basic.UserRoleImpl"
uri="/users/john">
<revision>
<property name="password">john</property>
</revision>
</objectnode>
<!-- /users/guest represents an authenticated or unauthenticated
guest user -->
<objectnode classname="slideroles.basic.GuestRoleImpl"
uri="/users/guest">
<revision>
<property name="password">guest</property>
</revision>
</objectnode>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode"
uri="/actions">
<objectnode classname="org.apache.slide.structure.ActionNode"
uri="/actions/read"/>
<objectnode classname="org.apache.slide.structure.ActionNode"
uri="/actions/write"/>
<objectnode classname="org.apache.slide.structure.ActionNode"
uri="/actions/manage"/>
</objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/files">
<permission action="/actions/manage" subject="/users/john"/>
<permission action="/actions/write" subject="+/users/groupA"/>
<permission action="/actions/read" subject="nobody"/>
</objectnode>
</objectnode>
</objectnode>
</data>
</namespace>
web.xml
-------
<security-constraint>
<web-resource-collection>
<web-resource-name>DAV resource</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>COPY</http-method>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>LOCK</http-method>
<http-method>MKCOL</http-method>
<http-method>MOVE</http-method>
<http-method>OPTIONS</http-method>
<http-method>POST</http-method>
<http-method>PROPFIND</http-method>
<http-method>PROPPATCH</http-method>
<http-method>PUT</http-method>
<http-method>UNLOCK</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>root</role-name>
<role-name>guest</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Manager</web-resource-name>
<url-pattern>/manager/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>root</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Slide DAV Server</realm-name>
</login-config>
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Re: Can other users(roles) delete files locked by different user?
Posted by Remy Maucherat <re...@apache.org>.
> Hi,
>
> I am using 3 clients to my FileContentStore slide install - Dav Explorer,
> Web Folders, DreamWeaver.
>
> I have tried logging into the slide server as guest from one client and
root
> from another. I try locking a resource from my root user.
>
> I then try to delete the resource from my guest user client. The resource
> gets deleted. I did not expect this.
>
> I tried locking a resource from my guest logon and then use DavExplorer to
> get the lock properties. These said that the resource had been locked by
> root not guest as per my logon. Is this why guest was able to delete a
> resource locked by root? If so, any thoughts why my guest user looks like
> root? Some config files are shown below.
Thanks for the report. I'll look into it.
Remy