Thorsten Scherler wrote:
> On Tue, 2006-09-26 at 17:50 +0200, Jörn Nettingsmeier wrote:
>> before we start a REOPEN war on bugzilla, let's discuss this here first.
>>
>> imho an exception caused by a normal gui operation is always a bug.
>> imnsho a "deny" credential for the role "edit" that leads to a loss of
>> "visit" for the user admin is a blocker bug.
>
> The thing is a user can have more then one role. Lenya e.g. has the role
> "edit, admin, visit", now we test whether we find credentials for this
> roles, if there is a credential (with high priority) which deny access
> for editor then lenya get locked out. To allow lenya and not any other
> editor have a look at our documentation.
again:
log in as user lenya.
go to site overview, select page "document type examples".
open "ac authoring" tab.
as an inheritable credential, add { group:edit, role:edit, deny}.
press "add".
as an inheritable credential, add { group:admin, role:edit: grant}.
press "add". pooof.
the problems are these:
the usecase permissions for tab.acLive are "admin/grant".
lenya (as an admin) should be able to commit the second change, even
after taking away the edit permission for one of its own group
accreditables, as changing ac calls for the "admin" role (which was
never touched). that seems like a big bug.
the user does not get a meaningful error message, and lenya throws an
exception. that is perhaps a small bug, but it needs to be fixed.
after the entire transaction (which only touched the *edit* role), user
lenya can no longer *view* the page. "world" should still be able to
view the page, and lenya is "world". plus the *view* role was never
touched as well in the entire test case. that looks like another mother
of a bug.
and even if this all is due to some misconception of mine (which might
well be the case), it would be a lot more polite to point out my errors
in understanding and give me a chance to close the bug than marking it
as invalid without giving it more that a passing glance. i may be alone
in this, but for me, ac is serious stuff. if i'm totally not grokking
it, that's at least a serious documentation issue.
--
"I don't need backups. I need restore!" - Trad.
--
Jörn Nettingsmeier, EDV-Administrator
Institut für Politikwissenschaft
Universität Duisburg-Essen, Standort Duisburg
Mail: [EMAIL PROTECTED], Telefon: 0203/379-2736
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
