![]() |
|
|
|
|
Change By:
|
Christoph Meier
(06/Mar/14 10:59 AM)
|
|
Description:
|
Forum on M4.5 had sophisticated security-model which
cannot be properly used with current M5
is currently not supported by Magnolia 5
.
Bootstrap (originating from M4.5-version) installs these 4 roles.
1) forum-base
2) forum_ALL-user
3) forum_ALL-admin
4) forum_ALL-moderator
(2), (3) and (4) all come with an ACL-permission for the forum-workspace which M5-security-app cannot display correct (see screenshot) and is lost when someone is editing it.
Instead of the permission "moderateAndDelete" use "read & write"
Forum 3.3 should apply the following simple security model:
(a) role forum-base is required to access the forum-app
(b) to moderate (=> approve or reject a message) a user must have the role forum_ALL-moderator or forum_ALL-admin
(c) if a user has the above described permission to moderate a forum, he can moderate every forum
(a) is already done but probably arguable.
=>
- clean install: ensure Bootstraps contain roles which can be handled by M5; remove no more used bootstraps
- clean update: ensure config. of installed forum gets roles which can be handled by M5 on update
- clean code: ensure DefaultForumManager#isModerator works properly (based on roles)
- disable automatically creation of roles when a forum is created in the forum-config (change the config which in bootstrap or in already installed versions)
|
|
|
|
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
----------------------------------------------------------------
For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: <
[email protected]>
----------------------------------------------------------------
