Blair, I appreicate your help with this!
I understand how to fix it but I am not quite sure how your explaination works.. Root - Anon View = Inheirit(Deny) - Home - Anon View = Grant -- Sales Portal - Anon View =Deny --- ToolKit - Anon View = Inheirit(Deny) ---- SalesA - Anon View = Inheirit(Deny) ---- SalesB - Anon View = Inheirit(Deny) So in my situation its that the Anonymous role (Which all users get) is getting a barnacle value of 0 on the SalesB nav, allowing a role (the user is specifically assigned to) set as Deny on that node to view it anyway So if I underastand what you are saying, when permissions are checked before the navigation is output, its going up three nodes (to Home) to determine that the Anonymous user's "inherit' value of 0 is Grant (1).. and not actually inheirited recursively from its immediate parent. I assumed inheirit(deny) for an anonymous user meant they would be denied access.. Which they are.. if I try to go to the node without logging in. Its only when I am logged in as a specific user/role... oh well its late for me and like you said its complicated... I will go ahead and specify deny on all the nodes I want anonymous restricted from. Thanks again for the help. On Dec 16, 4:11 pm, Blair McKenzie <[email protected]> wrote: > Permissions for trees + mutliple roles is complicated. There isn't really > any way around it. The basic rules that we have settled on is: > 1) The most permission permission on a node is returned. If one role grants > permission, but another denies it, permission is granted. > 2) '0' == inherit == refer to parent (0 + no parent == Deny) > 3) The root node, by default, grants View to Anonymous > > In practical terms that means that if you want to restrict a navigation node > to a particular role you need to: > - DENY access for Anonymous (breaks the inheritance of grant from root) > - GRANT access for that role (trumps the deny when that role is present) > > Does this make sense? > > Blair > > > > On Thu, Dec 17, 2009 at 10:59 AM, Chris Roth <[email protected]> wrote: > > ok.. so if I set anonymous to explicitly deny on the node it appears > > to work, but this seems like there might be a bug in genericnav no > > respecting inheirited permissions. I hate to have to go in and > > explicitly set deny on subnavs of protected navs. > > > ideas? > > > -- > > You received this message cos you are subscribed to "farcry-dev" Google > > group. > > To post, email: [email protected] > > To unsubscribe, email: > > [email protected]<farcry-dev%2bunsubscr...@googlegroups.com> > > For more options:http://groups.google.com/group/farcry-dev > > -------------------------------- > > Follow us on Twitter:http://twitter.com/farcry- Hide quoted text - > > - Show quoted text - -- You received this message cos you are subscribed to "farcry-dev" Google group. To post, email: [email protected] To unsubscribe, email: [email protected] For more options: http://groups.google.com/group/farcry-dev -------------------------------- Follow us on Twitter: http://twitter.com/farcry
