Peter, your understanding is correct. To accomplish what you want, you'd need to edit the ACLs of the protected pages to include the Editors. Or, as you pointed out, you can give the Editors the AllPermission.
You can see why it is this way, right? Otherwise, ACLs would essentially be meaningless because you could override any ACL by modifying the base policy. But let me think about this a bit more. Perhaps there is something we can do in the 3.1 timeframe. Andrew On Fri, Mar 26, 2010 at 12:19 PM, Peter Schart <[email protected]> wrote: > I'll try to keep this as brief as possible as I'm fairly sure it has a simple > answer. Here's the situation: > > I've got a wiki that has some fairly strict permissions: > 1. Nothing is viewable unless asserted or authenticated. > 2. Nothing is editable unless user is a member of group "Editors". > 3. Non-editors belong to 1 of 3 groups (call them A, B, and C) > 4. Some pages are viewable by all 3 groups; others are only viewable to 1 of > the 3 groups (via ACLs, e.g.: [{ALLOW view A}]. > > What I'd like to do (and what I think is impossible) is to allow members of > the "Editors" group to be able to view/edit anything (regardless of whatever > ACL a page might have) but not have AllPermissions (i.e.: they shouldn't be > able to approve new users, delete pages, etc...). > > In my .policy, the Editors group has modify and rename for PagePermissions > but I still get the "You're not allowed to do that" message when trying to > view any page with an "ALLOW view [A|B|C]" ACL. > > I *think* that the only way to override page ACLs is to give the group > AllPermission in the .policy. Is this correct? If so, is there anyway to > achieve the "Editors can edit anything but aren't admins" goal other than > adding "Editors" to every view ACL? > > Thanks for your help.
