First off. there are 2 forms of browse.
1) http://hostname:port/archiva/browse/* (also known as artifact browsing)
2) http://hostname:port/archiva/repository/repoid/* (also known as
direct webdav browsing)
The first one requires no special roles (yet).
The second one requires either the "Repository Observer" role for the
specific {repoid}, or the "Global Repository Observer" role for all
defined repositories.
- Joakim
Markus Reil wrote:
> Hi Joakim,
>
> thanks for your answer.
> If there were users with less permission than guest, that would be
> alright for me.
> What I meant is, that even if I make the new user "Repository Observer"
> he is still not able to browse the WebDAV repository. I revoked
> "Repository Observer" from Guest becuase I do not want guests to be able
> to browse or upload to repositories.
> Do I have to validate a new user?
>
> Thanks,
> Markus
>
> Joakim Erdfelt wrote:
>
>> This is a confusing mess of roles ATM.
>>
>> You just pointed out a flaw in the design of the security.
>>
>> The roles that the Guest user has are not copied (or linked) to new users.
>>
>> It is quite possible for new users to have *LESS* permission than a
>> guest (anonymous) user!
>>
>> I just discussed this with my partner in security crime, Jesse
>> McConnell, and we are working on a solution to this oversight.
>>
>> - Joakim Erdfelt
>>
>> Markus Reil wrote:
>>
>>> Hi,
>>>
>>> I built archiva from trunk rev. 521889.
>>> If I assign the role Repository Observer to Guest I can access the
>>> repository but I a newly created user.
>>> The user I created does not have the "Validated" flag set in the User
>>> Management page. Is that the reason?
>>> Then how can I validate the user? Is an E-Mail confirmation needed?
>>> Unfortunately I am not able to send E-Mail from my server.
>>>
>>> Thanks in advance for any help.
>>>
>>> Best Regards,
>>> Markus
>>>
>>>
>>>
>>
>
>
