Boris just answered to a quite long question of mine on the user-list,
asking me to post this issue here. I'll try to keep it short, to read
the full story read "problems defining multiple roles" (first reply,
Point 2) on the user list. So, please don't take this as cross-posting...
I think there is a bug in rights management, that can be seen when a
user has two or more roles assigned, that include at least one ACL to
the same path with different rights. Then the order of the
roles-assignment to the user is important because it seems that only the
ACL of the last role has effect. It seems as the last role overwrites
the ACL to that path of the other roles without checking. Normally the
ACLs should be compared and the less restrictive one should be taken.
Try the following:
- define two roles: 'fullwrite' with full r/w to the whole webiste (63
on /*) and 'readonly' with read-only the the whole website (8 on /*)
(make sure to add at least a read-only to /* on config in both roles to
see the buttons in admin interface (quick and dirty))
- create a user and assign role 'fullwrite' to that user, add 'readonly'
as second role
- log into admin interface: rights to website should be r/w but it is
read-only
- log out, change the order of the role-assignment (first 'readonly'
second 'fullwrite')
- log into admin interface again: rights to website are r/w now, but
only because 'fullwrite' is at the end of role-assignments.
I don't post this in jira, because I first want a dev to have a look at
it and confirm if this is a bug or if I'm doing something wrong - could
be ;-)
Regards,
tom
----------------------------------------------------------------
for list details see
http://www.magnolia.info/en/magnolia/developer.html
----------------------------------------------------------------
