DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=42952>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42952 Summary: document authorizer grants access for *any* role Product: Lenya Version: Trunk Platform: Other OS/Version: other Status: NEW Severity: blocker Priority: P2 Component: Access Control AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] the document authorizer grants access to a page if a user holds *any* role. this is wrong. the bug surfaced when a "session" role was added to allow all users access to login/logout usecases regardless of their other privileges. the access controller that is invoked for documents needs to check for an explicit "visit" role. the question is whether other roles such as "admin", "edit", "review" should imply "visit" rights. i think for clarity it is best not to have implicit rights but to spell out "visit role for everybody" in the top-level policy file. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
