Hi Denis, thanks for the pointer!
I see that by this documentation the "Script" right indeed has a precedence "DENY before ACCEPT", as with the other "page related" rights (i.e., the ones one can be set on the page level), and that "create wiki" indeed has a "ACCEPT before DENY" I guess for the first part the user documentation at: http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Permission+types/ should be updated - it also wrongly states that the "Script" right can only be granted on the wiki level. Unless someone corrects me I will do this as part of XWIKI-13269 for the next BFD; For the other rights I will commit fixes for the UI, that currently wrongly assumes that "DENY before ACCEPT" applies always. As I have no idea how to access the Java "Rights" object from the velocity templates, I will probably hardcode a duplicate of this information; that is, unless I or someone else has a better idea. Clemens > Hi Clement, > > I am currently travelling by plane, so I cannot have a look in details now > about this issue, but I surely have an answer later. In the meantime, you > may find answers by looking at the most accurate documentation at > http://extensions.xwiki.org/xwiki/bin/view/Extension/Security+Module. > > On Mon, May 9, 2016 at 9:22 AM, Clemens Klein-Robbenhaar < > [email protected]> wrote: > >> Hi devs, >> >> while trying to figure out how to fix >> http://jira.xwiki.org/browse/XWIKI-13269 " Multiple values for one >> permission pair handled wrong " >> I ran into a question about now to resolve conflicting rights/permissions. >> I guess that resolving rights conflicts assigned to the same object/level >> (i.e. page or wiki) but different principal (i.e. user and a group of that >> user) >> is not much different than resolving a conflict with rights for the same >> principal (as happened in the bug report, getting two rights for the >> anonymous user after an upgrade conflict) >> >> If I understand the documentation here: >> >> http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Permission+types/ >> >> then usually "deny" takes precedence over "allow", except for the "Special >> Permissions": "admin", "programming", "register", "crate wiki" and "script". >> >> However when I look at the implementation in >> org.xwiki.security.authorization.Rights >> I can see the rights have a "tieResolutionPolicy", which is "ALLOW" for >> "register", "admin" and "programing", >> but not for "create wiki" and "script". >> >> Is the "tieResolutionPolicy" something different than the priority order? >> If not, who is right, the implementation or the documentation? >> >> >> (However, no matter how the answer is, the UI needs to be updated, as it >> always assumes that deny takes precedence, giving the wrong answer at times) >> >> >> Thanks, >> Clemens _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
