Weijin -- Your understanding is correct: users who have the "edit" PagePermission, but hot the "createPages" WikiPermission, should not be allowed to create new pages.
The "edit" PagePermission should not imply the "createPages" WikiPermission. The Java code for the two classes doesn't show that there is any relationship between the two. If that is actually happening, then it is a bug. Could you verify this behavior with a completely stripped down security policy? (i.e., remove all commented out permissions, etc)? Andrew On Thu, Jan 14, 2010 at 10:34 AM, Weijian Fang <[email protected]> wrote: > Hi, > > In my jspwiki 2.6.2 isntallation, if I give the "edit" PagePermission > to somebody, e.g. Authenticated users, but not the "createPages" > WikiPermission, my understanding is the users should be able to edit > existing pages but not create new pages. > > grant > principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" { > permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "view"; > permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "edit"; > permission com.ecyrd.jspwiki.auth.permissions.PagePermission > "*:*", "upload"; > // permission com.ecyrd.jspwiki.auth.permissions.WikiPermission > "*", "createPages"; > }; > > However, my authenticated users also get the permission to create > pages. In my experiments, the "upload" PagePermission does not imply > "createPages", but "edit" does. > > Have anyone seen this before? Where did I do wrong? Many thanks. > > Weijian >
