Re: [Moin-user] Wiki server ignoring ACLs *followup*
On Friday 11. March 2016 21.36.47 Chris Freemesser wrote: > On 3/11/16 3:15 PM, Paul Boddie wrote: > > I'm not sure if I considered this properly before, but I'm somewhat > > convinced that this is what happens now: even acl_rights_before will > > short-circuit the decision-making process. > > The way I see it, "acl_rights_before" are the settings you never want > anybody to be able to change, "acl_rights_default" are the settings you > normally want applied, and #acl gets added when you need to make a page > "abnormal". It all makes sense and works great...when it works. ;) Yes, this is a good explanation of what I think should be happening. Maybe we both even agree with what the documentation says and what the code does. ;-) > I was able to get a second server set up with a bone stock install of > TurnKey Linux MoinMoin (greatest distro ever...took 15 minutes for it to > be up and running). Using the default wiki instance, everything works as > it should, so there has to be something about the way my wiki instances > got migrated over that created this acl issue. Next step will be to try > migrating an instance over to this test server to see what happens. > That'll be early next week though. It's a bit baffling, really. Maybe creating a separate test instance on your server with the basic elements of the desired configuration might help. > Thanks again for all the help, and have a good weekend! No problem! Given that people are still using MoinMoin, and despite the lack of core developer presence on this and other channels, I'm inclined to start looking at doing Moin-related things again just to keep it viable. It would be a shame if people stopped using it because they felt it wasn't getting much developer attention any more. Paul P.S. I guess Thomas and others are busy developing Moin 2 on Bitbucket (as well as other things), and perhaps they're on some IRC channel that isn't logged in a place I know about, but I have to say that I am a bit worried about the relative silence from the core developers. -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140 ___ Moin-user mailing list Moin-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/moin-user
Re: [Moin-user] Wiki server ignoring ACLs *followup*
On 3/11/16 3:15 PM, Paul Boddie wrote: > I'm not sure if I considered this properly before, but I'm somewhat convinced > that this is what happens now: even acl_rights_before will short-circuit the > decision-making process. The way I see it, "acl_rights_before" are the settings you never want anybody to be able to change, "acl_rights_default" are the settings you normally want applied, and #acl gets added when you need to make a page "abnormal". It all makes sense and works great...when it works. ;) I was able to get a second server set up with a bone stock install of TurnKey Linux MoinMoin (greatest distro ever...took 15 minutes for it to be up and running). Using the default wiki instance, everything works as it should, so there has to be something about the way my wiki instances got migrated over that created this acl issue. Next step will be to try migrating an instance over to this test server to see what happens. That'll be early next week though. Thanks again for all the help, and have a good weekend! Chris _ Chris Freemesser, Systems Administrator University of Rochester Department of Brain and Cognitive Sciences The Center for Visual Science Meliora Hall, Room 255 Phone: (585)275-0786 _ -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140 ___ Moin-user mailing list Moin-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/moin-user
Re: [Moin-user] Wiki server ignoring ACLs *followup*
On Friday 11. March 2016 20.11.57 Chris Freemesser wrote: > On 3/10/16 12:38 PM, Paul Boddie wrote: > > Now, if I understand, what you want to do is to have is administration > > and editing access set in the before rule. For example: > > > > acl_rights_before = u"WikiAdministrator:read,write,delete,revert,admin " > > \ > > > > u"WikiGroup:read,write,delete,revert" > > > > And then you want unidentified users only being able to read pages: > > > > acl_rights_default = u"All:read" > > > > And on pages where such users shouldn't even be able to read the page, > > you would put this: > > > > #acl All: > > > > Or you might even put something else that doesn't even mention "All" or > > "Default". > > > > This seems to work when I test it in a Moin 1.9.7 wiki that I have to > > hand, but I can't see any differences between that and 1.9.8. > > First, thanks very much for taking the time to do the testing and reply...I > greatly appreciate it! These ACLs are making my head spin. ;) That happens to us all. ;-) > What you've mentioned above could be a workaround for the issues I'm > experiencing, though I do have to give the WikiGroup admin rights so they > can create new pages. I tried this out and it seems to be working. OK. > However, the workaround does not allow me to disable WikiGroup's access to > a page. For example, I don't allow them editing rights to the WikiGroup > page itself, but with this workaround, I can't take away the rights. > Adding a #acl line to the page with instructions to remove their access > does nothing. With the rights as described above (in my previous mail), you won't be able to change what WikiGroup can do in a page ACL because acl_rights_before will have decided that already, at least as I understand things. It would be like this... acl_rights_before -> "... WikiGroup:read,write,delete,revert,admin" -> "WikiGroup:read,write,delete,revert,admin" -> "read,write,delete,revert,admin" applies What wouldn't happen is the bit where Moin looks at the page ACL and/or the acl_rights_before setting. I'm not sure if I considered this properly before, but I'm somewhat convinced that this is what happens now: even acl_rights_before will short-circuit the decision-making process. > So, it looks like I need to ultimately get the acl problem solved so it > works as designed. As soon as I can find the time I'm going to set up a > 2nd server from scratch using the same TurnKey Linux MoinMoin distribution > to see if this problem exists out-of-the-box. If it does, then it's an > issue with the distribution, and not a problem with my wiki instances. > I'll do my best to provide updates on my progress. I think that the change I described may have influenced the situation but I haven't really thought too hard about how that has happened. Meanwhile, you could try changing things to this: acl_rights_before = u"WikiAdministrator:read,write,delete,revert,admin " \ u"+WikiGroup:read,write,delete,revert,admin" acl_rights_default = u"+All:read" And then try and change the ACL on the WikiGroup page to... #acl WikiGroup:read If my mental model of the ACL system is correct, WikiGroup should have all the "before" rights, but instead of stopping there, Moin should then look at the page ACL, see that WikiGroup has been given only the "read" right, and then return that single right as its decision. acl_rights_before -> "... WikiGroup:read,write,delete,revert,admin" -> "+WikiGroup:read,write,delete,revert,admin" -> "read,write,delete,revert,admin" apply, but not definitively -> page ACL -> "WikiGroup:read" -> "read" applies, overriding the "+WikiGroup" rights I hope this makes some sense. :-) Paul -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140 ___ Moin-user mailing list Moin-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/moin-user
Re: [Moin-user] Wiki server ignoring ACLs *followup*
On 3/10/16 12:38 PM, Paul Boddie wrote: > Now, if I understand, what you want to do is to have is administration and > editing access set in the before rule. For example: > > acl_rights_before = u"WikiAdministrator:read,write,delete,revert,admin " \ > u"WikiGroup:read,write,delete,revert" > > And then you want unidentified users only being able to read pages: > > acl_rights_default = u"All:read" > > And on pages where such users shouldn't even be able to read the page, you > would put this: > > #acl All: > > Or you might even put something else that doesn't even mention "All" or > "Default". > > This seems to work when I test it in a Moin 1.9.7 wiki that I have to hand, > but I can't see any differences between that and 1.9.8. First, thanks very much for taking the time to do the testing and reply...I greatly appreciate it! These ACLs are making my head spin. ;) What you've mentioned above could be a workaround for the issues I'm experiencing, though I do have to give the WikiGroup admin rights so they can create new pages. I tried this out and it seems to be working. However, the workaround does not allow me to disable WikiGroup's access to a page. For example, I don't allow them editing rights to the WikiGroup page itself, but with this workaround, I can't take away the rights. Adding a #acl line to the page with instructions to remove their access does nothing. So, it looks like I need to ultimately get the acl problem solved so it works as designed. As soon as I can find the time I'm going to set up a 2nd server from scratch using the same TurnKey Linux MoinMoin distribution to see if this problem exists out-of-the-box. If it does, then it's an issue with the distribution, and not a problem with my wiki instances. I'll do my best to provide updates on my progress. Thanks again! Chris _ Chris Freemesser, Systems Administrator University of Rochester Department of Brain and Cognitive Sciences The Center for Visual Science Meliora Hall, Room 255 Phone: (585)275-0786 _ -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140 ___ Moin-user mailing list Moin-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/moin-user
Re: [Moin-user] Wiki server ignoring ACLs *followup*
On 3/10/16 12:38 PM, Paul Boddie wrote: > Now, if I understand, what you want to do is to have is administration and > editing access set in the before rule. For example: > > acl_rights_before = u"WikiAdministrator:read,write,delete,revert,admin " \ > u"WikiGroup:read,write,delete,revert" > > And then you want unidentified users only being able to read pages: > > acl_rights_default = u"All:read" > > And on pages where such users shouldn't even be able to read the page, you > would put this: > > #acl All: > > Or you might even put something else that doesn't even mention "All" or > "Default". > > This seems to work when I test it in a Moin 1.9.7 wiki that I have to hand, > but I can't see any differences between that and 1.9.8. First, thanks very much for taking the time to do the testing and reply...I greatly appreciate it! These ACLs are making my head spin. ;) What you've mentioned above could be a workaround for the issues I'm experiencing, though I do have to give the WikiGroup admin rights so they can create new pages. I tried this out and it seems to be working. However, the workaround does not allow me to disable WikiGroup's access to a page. For example, I don't allow them editing rights to the WikiGroup page itself, but with this workaround, I can't take away the rights. Adding a #acl line to the page with instructions to remove their access does nothing. So, it looks like I need to ultimately get the acl problem solved so it works as designed. As soon as I can find the time I'm going to set up a 2nd server from scratch using the same TurnKey Linux MoinMoin distribution to see if this problem exists out-of-the-box. If it does, then it's an issue with the distribution, and not a problem with my wiki instances. I'll do my best to provide updates on my progress. Thanks again! Chris _ Chris Freemesser, Systems Administrator University of Rochester Department of Brain and Cognitive Sciences The Center for Visual Science Meliora Hall, Room 255 Phone: (585)275-0786 _ -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140 ___ Moin-user mailing list Moin-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/moin-user