Thanks for the reply and confirmation. I suppose I see your point, to an extent... It could certainly cause some confusion if you weren't careful with your policy and group assignments, but -- and perhaps I'm just biased here ;) -- to me it seems like the policy for a *Group* should override an ACL. Or perhaps there could be another "special purpose" permission similar to AllPermission but strictly for view/edit stuff (no other admin-like capabilities). Obviously, you're in a better position to think through the ramifications than am I, so I will defer to your decision.
Thanks again! > Peter, your understanding is correct. To accomplish what you want, > you'd need to edit the ACLs of the protected pages to include the > Editors. Or, as you pointed out, you can give the Editors the > AllPermission. > > You can see why it is this way, right? Otherwise, ACLs would > essentially be meaningless because you could override any ACL by > modifying the base policy. But let me think about this a bit more. > Perhaps there is something we can do in the 3.1 timeframe. > > Andrew > > On Fri, Mar 26, 2010 at 12:19 PM, Peter Schart > <[email protected]> wrote: >> I'll try to keep this as brief as possible as I'm fairly sure it has a >> simple answer. Here's the situation: >> >> I've got a wiki that has some fairly strict permissions: >> 1. Nothing is viewable unless asserted or authenticated. >> 2. Nothing is editable unless user is a member of group "Editors". >> 3. Non-editors belong to 1 of 3 groups (call them A, B, and C) >> 4. Some pages are viewable by all 3 groups; others are only viewable to 1 of >> the 3 groups (via ACLs, e.g.: [{ALLOW view A}]. >> >> What I'd like to do (and what I think is impossible) is to allow members of >> the "Editors" group to be able to view/edit anything (regardless of whatever >> ACL a page might have) but not have AllPermissions (i.e.: they shouldn't be >> able to approve new users, delete pages, etc...). >> >> In my .policy, the Editors group has modify and rename for PagePermissions >> but I still get the "You're not allowed to do that" message when trying to >> view any page with an "ALLOW view [A|B|C]" ACL. >> >> I *think* that the only way to override page ACLs is to give the group >> AllPermission in the .policy. Is this correct? If so, is there anyway to >> achieve the "Editors can edit anything but aren't admins" goal other than >> adding "Editors" to every view ACL? >> >> Thanks for your help.
