Joern Nettingsmeier wrote:
Andreas Hartmann wrote:
Joern Nettingsmeier wrote:
Andreas Hartmann wrote:
Joern Nettingsmeier wrote:
[...]
can't we just use the mechanisms which are there?
add role "session".
<world>
<role id="session"/>
</world>
That would mean to open the authoring area for everyone ...
sorry, i just typed the stuff from memory without checking.
what i meant was:
create a new role "session", add world to this role, check for that
role
in the ac.log[in|out] usecases.
Yes, I guess I understood it correctly.
With the current implementation, if you give the role "session"
to the world, you allow everyone to enter the authoring area
without logging in.
Maybe we should change this behaviour and require the role
"visit" for visiting pages. This would allow to assign roles
to the world.
sorry, i wasn't aware that the session role exists already...
No, it doesn't exist :)
I wasn't specific enough, let me rephrase my statement:
With the current implementation, if you give *any* role
to the world, you allow everyone to enter the authoring area
without logging in.
that is unfortunate for huge values of unfortunate.
imho this needs to be fixed before a release can happen. what's the
rationale behind this behaviour?
The intention was that you don't have to introduce a special role
to be able to access pages, i.e. any role would imply that you can
at least access the page.
can we implement the same security principle as with the usecases for
locations?
Could you explain this a little more detailed?
Thanks!
-- Andreas
--
Andreas Hartmann
Wyona Inc. - Open Source Content Management - Apache Lenya
http://www.wyona.com http://lenya.apache.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
