This is correct behavior.
When you create an ACL for a page, it replaces the default security
policy. So, if your jspwiki.policy says that anonymous users can view
page Foo (or "*" for all pages), adding an ACL of [{ALLOW edit
florian}] means that only Florian can edit Foo, and nobody else has
any other privileges.
The reason the system works this way is quite simple. For example, if
you wanted to prevent all ordinary users from viewing a page called
"Payroll," you'd add an ACL that allowed the "Finance" group to edit
it. But you wouldn't want the default "anonymous view" policy to be
added on top of that ACL.
We probably haven't been as clear about this as we could have been...
Andrew
On Jan 11, 2008, at 3:58 PM, Florian Holeczek wrote:
maybe add a
[{ALLOW view anonymous}] - to allow anonymous (I think then
everyone to view)
[{ALLOW edit florian}]
Florian wrote this...
Yes, that's fine (with Anonymous, case sensitive). I already knew this
before, though :-)
Maybe it's an "undocumented feature" that once a policy rule is
given, the
default policy rules are deactivated completely?
Regards,
Florian
