Why not actually fix the problem instead of adding unexpected implicit
behavior?
Proposal:
pseudocode for "is a user in a group":
if the group name is XWikiAllGroup and XAG is configured as virtual
and the user is local,
then return true
otherwise, check the standard way, with the object attached to
document verification
The fact that XWikiAllGroup is configured as virtual doesn't mean that
it suddenly becomes an intangible document.
On 01/21/2014 01:52 PM, Denis Gervalle wrote:
> Hi Guillaume,
>
> I am definitely -1 to systematically replace XWikiAllGroup by
> XWikiMemberGroup in any subwiki:
>
> 1) because I do not see the meaning of XWikiMemberGroup in the
> myxwiki.orguse case.
> 2) because XWikiAllGroup is an habits for many existing user
> 3) because existing application/extension/scripts may attribute rights to
> XWikiAllGroup
> 4) because this could cause confusion if some right are attributed to
> XWikiAllGroup and others to XWikiMemberGroup, by a mixup of old and new
> habits.
>
> Since we definitely want to use implicit XWikiAllGroup, I do understand
> that you need a solution for workspace that may be joined by global users.
> The below proposal should allow you to do so without migrating existing
> installation. It apply only to subwikis.
>
> After thinking about the different possibilities, my best bet to a smooth
> migration is to keep XWikiAllGroup for its previous meaning: "All
> authenticated users having access to this wiki" (unless implicit, which
> restrict it currently to "All Local Users"). Keeping the meaning and
> potential usage of the group is the key IMO.
>
> To support selected global users to enter the implicit XWikiAllGroup, I
> simply suggest to add implicitly a group as a member of XWikiAllGroup. It
> could be called XWikiGlobalMemberGroup to be more explicit, and always be a
> member of the implicit XWikiAllGroup when
> xwiki.authentication.group.allgroupimplicit=2.
> Then:
>
> A) when xwiki.authentication.group.allgroupimplicit=0, and XWikiAllGroup
> (not implicit) does not have a member XWikiGlobalMemberGroup. Do not do any
> migration, and keep the current join behavior, using exclusively
> XWikiAllGroup for both local and global users.
>
> B) when xwiki.authentication.group.allgroupimplicit=1, keep the existing
> behavior, obviously prevent any global user to join, do not provide global
> user scope in wiki creation, and warn on the wiki setting if the user scope
> is incompatible with the current implicit setting.
>
> C) when xwiki.authentication.group.allgroupimplicit=2, check at startup
> that a XWikiGlobalMemberGroup exists, else create it and migrate any global
> users in XWikiAllGroup to XWikiGlobalMemberGroup.
>
> D) when xwiki.authentication.group.allgroupimplicit=2, or when
> xwiki.authentication.group.allgroupimplicit=0 and XWikiAllGroup contains
> XWikiGlobalMemberGroup, use the new behavior, allowing creation of all user
> scopes, removing any warnings, joining global users to the
> XWikiGlobalMemberGroup (and local users to the XWikiAllGroups if not
> implicit).
>
> The net benefit of the above proposal is to keep actual habits and existing
> use cases untouched. Moreover, the security is ensured to be kept as it is
> with no risk of side effect, which is priority.
>
> WDTH ?
>
> Obviously, my +1 for the above proposal.
> Thanks,
>
>
> On Tue, Jan 21, 2014 at 6:50 PM, Guillaume "Louis-Marie" Delhumeau <
> [email protected]> wrote:
>
>> 2014/1/21 Guillaume "Louis-Marie" Delhumeau <[email protected]>
>>
>>> Just to add some precisions:
>>>
>>> = What the migrator do =
>>> 1. Create a group XWikiMemberGroup, with XWikiAllGroup as the first
>> member.
>>> 2. All global users of XWikiAllGroup are put inside XWikiMemberGroup and
>>> removed from XWikiAllGroup.
>>> 3. All rights concerning XWikiAllGroup are changed (ex: "view for
>>> XWikiAllGroup" -> "view for XWikiMemberGroup"). It does not break
>> anything
>>> since XWikiAllGroup is a member of XWikiMemberGroup.
>>> 4. All candidacies (ie: join requests, etc...) are moved form
>>> XWikiAllGroup to XWikiMemberGroup, to be consistent.
>>>
>>
>> Of course, this migration is only done on subwikis.
>>
>>
>>>
>>>
>>>
>>>
>>> 2014/1/21 Guillaume "Louis-Marie" Delhumeau <[email protected]>
>>>
>>>> Sergiu:
>>>> Exactly, I don't have to have all global users in the this group. Only
>>>> those who are considered as "members" (ie: they have joined the wiki).
>>>>
>>>>
>>>> 2014/1/21 Sergiu Dumitriu <[email protected]>
>>>>
>>>>> Why not make virtual XWikiAllGroup also contain global users?
>>>>>
>>>>> We can make:
>>>>>
>>>>> xwiki.authentication.group.allgroupimplicit=0 -> no
>>>>> xwiki.authentication.group.allgroupimplicit=1 -> yes, all local users
>>>>> xwiki.authentication.group.allgroupimplicit=2 -> yes, local and global
>>>>>
>>>>> Or do you want to have only some global users, not all of them?
>>>>>
>>>>> On 01/21/2014 11:31 AM, Guillaume "Louis-Marie" Delhumeau wrote:
>>>>>> Hi developers!
>>>>>>
>>>>>> In Workspaces, we used to add global users in the XWikiAllGroup page
>>>>> of a
>>>>>> subwiki to indicate that they are members of that wiki.
>>>>>>
>>>>>> Now, we have an option called "user scope", and we can have both
>>>>> global &
>>>>>> local users in a subwiki. That means we have global & local users in
>>>>>> XWikiAllGroup.
>>>>>>
>>>>>> Then, it is a problem because it can not work when XWikiAllGroup is a
>>>>>> virtual group [1].
>>>>>>
>>>>>> Then, I have proposed to create a new group, called XWikiMemberGroup,
>>>>> that
>>>>>> hold the members of the subwiki. (Note: XWikiAllGroup will be a
>> member
>>>>> of
>>>>>> XWikiMemberGroup, in order to say "a local user is a member").
>>>>>>
>>>>>> So, I have written a migration (again!) [2], to create the new group
>>>>> with
>>>>>> the current content of XWikiAllGroup. In this migration, I also
>>>>> changes all
>>>>>> existing rights that occur on XWikiAllGroup to make them effective
>> for
>>>>>> XWikiMemberGroup. I did not want to duplicate these rights by just
>>>>> adding
>>>>>> the sames for XWikiMemberGroup. I think it is easier for the user to
>>>>> only
>>>>>> take care of the XWikiMemberGroup. But it looks a bit "magical", and
>>>>> some
>>>>>> people don't like it.
>>>>>>
>>>>>> I would like to have your opinion.
>>>>>>
>>>>>> +1 for adding XWikiMemberGroup and to "migrate" rights (replace all
>>>>> rights
>>>>>> given to XWikiAllGroup by rights given to XWikiMemberGroup).
>>>>>>
>>>>>> Thanks,
>>>>>> Louis-Marie
>>>>>>
>>>>>>
>>>>>> [1] http://jira.xwiki.org/browse/XWIKI-9886 - Enabling virtual
>>>>>> XWikiAllGroup breaks wiki membership
>>>>>> [2]
>>>>> https://github.com/xwiki/xwiki-platform/compare/feature-wiki-members -
>>>>>> Git branch for this proposal
--
Sergiu Dumitriu
http://purl.org/net/sergiu
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs
