Re: [Moin-user] Wiki server ignoring ACLs *followup*
On Monday 14. March 2016 20.31.48 Chris Freemesser wrote: > On 3/11/16 4:09 PM, Paul Boddie wrote: > > It's a bit baffling, really. Maybe creating a separate test instance on > > your server with the basic elements of the desired configuration might > > help. > > I think I found the problem. I migrated one of my existing instances to > the test server I set up on Friday, and did not experience the right > problems I was seeing on my problematic server. > > Thinking back about something you mentioned regarding it possibly being a > cache problem, I returned to my problematic server and simply deleted the > entire cache folder for one of my instances. Created a replacement folder > for it, assigned ownership of it to "www-data", then ran a "maint > cleancache" command on the instance. After doing this, I then had to > again reassign ownership rights for the entire cache folder to "www-data". > I think this may be an issue unique to how TurnKey Linux works...the > subfolders within the cache folder that were recreated had "root" > ownership for some reason, and the server doesn't seem to like that. I often find file ownership to be a significant problem when performing maintenance tasks, assuming that the maintenance command actually functions correctly. I therefore find myself running some of these commands using sudo like this... sudo -u www-data moin ... (In fact, I use a helper script called moinsetup.py that I wrote to do common configuration tasks, and it is often the case that I run that instead of moin directly in the above way.) > However, once rights were reassigned, now the ACLs work properly. Go > figure. > > The location of the cache folder on this server is different than my old > server, and I suspect I copied the cache files to the new location when I > first migrated the instances. Looks like that isn't a good thing to do. I don't have an overview of what kind of location-sensitive information might be found in those files, but maybe it has an influence. > I'm going to try this fix for all of my wiki instances tomorrow, so fingers > crossed it works for all of those as well. > > Thanks again for the help! I doubt I wouldn't have found this if you > hadn't put the bug about the cache in my ear. Not a problem! The one thing I often found problematic and remedied only by full-on deletion at the filesystem level was the Xapian search support. There would be the annoying creation of lock files despite nothing actually getting re-indexed, and then Moin wouldn't manage to update the indexes. Various maintenance tasks would also "half fail" because these spurious locks would still be around. Again, digging into this stuff is another nagging thing lurking in the background that one day might need get proper attention. Paul -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140 ___ Moin-user mailing list Moin-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/moin-user
Re: [Moin-user] Wiki server ignoring ACLs *followup*
On 3/11/16 4:09 PM, Paul Boddie wrote: > It's a bit baffling, really. Maybe creating a separate test instance on your > server with the basic elements of the desired configuration might help. I think I found the problem. I migrated one of my existing instances to the test server I set up on Friday, and did not experience the right problems I was seeing on my problematic server. Thinking back about something you mentioned regarding it possibly being a cache problem, I returned to my problematic server and simply deleted the entire cache folder for one of my instances. Created a replacement folder for it, assigned ownership of it to "www-data", then ran a "maint cleancache" command on the instance. After doing this, I then had to again reassign ownership rights for the entire cache folder to "www-data". I think this may be an issue unique to how TurnKey Linux works...the subfolders within the cache folder that were recreated had "root" ownership for some reason, and the server doesn't seem to like that. However, once rights were reassigned, now the ACLs work properly. Go figure. The location of the cache folder on this server is different than my old server, and I suspect I copied the cache files to the new location when I first migrated the instances. Looks like that isn't a good thing to do. I'm going to try this fix for all of my wiki instances tomorrow, so fingers crossed it works for all of those as well. Thanks again for the help! I doubt I wouldn't have found this if you hadn't put the bug about the cache in my ear. Chris _ Chris Freemesser, Systems Administrator University of Rochester Department of Brain and Cognitive Sciences The Center for Visual Science Meliora Hall, Room 255 Phone: (585)275-0786 _ -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140 ___ Moin-user mailing list Moin-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/moin-user
Re: [Moin-user] Wiki server ignoring ACLs *followup*
On Friday 11. March 2016 21.36.47 Chris Freemesser wrote: > On 3/11/16 3:15 PM, Paul Boddie wrote: > > I'm not sure if I considered this properly before, but I'm somewhat > > convinced that this is what happens now: even acl_rights_before will > > short-circuit the decision-making process. > > The way I see it, "acl_rights_before" are the settings you never want > anybody to be able to change, "acl_rights_default" are the settings you > normally want applied, and #acl gets added when you need to make a page > "abnormal". It all makes sense and works great...when it works. ;) Yes, this is a good explanation of what I think should be happening. Maybe we both even agree with what the documentation says and what the code does. ;-) > I was able to get a second server set up with a bone stock install of > TurnKey Linux MoinMoin (greatest distro ever...took 15 minutes for it to > be up and running). Using the default wiki instance, everything works as > it should, so there has to be something about the way my wiki instances > got migrated over that created this acl issue. Next step will be to try > migrating an instance over to this test server to see what happens. > That'll be early next week though. It's a bit baffling, really. Maybe creating a separate test instance on your server with the basic elements of the desired configuration might help. > Thanks again for all the help, and have a good weekend! No problem! Given that people are still using MoinMoin, and despite the lack of core developer presence on this and other channels, I'm inclined to start looking at doing Moin-related things again just to keep it viable. It would be a shame if people stopped using it because they felt it wasn't getting much developer attention any more. Paul P.S. I guess Thomas and others are busy developing Moin 2 on Bitbucket (as well as other things), and perhaps they're on some IRC channel that isn't logged in a place I know about, but I have to say that I am a bit worried about the relative silence from the core developers. -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140 ___ Moin-user mailing list Moin-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/moin-user
Re: [Moin-user] Wiki server ignoring ACLs *followup*
On 3/11/16 3:15 PM, Paul Boddie wrote: > I'm not sure if I considered this properly before, but I'm somewhat convinced > that this is what happens now: even acl_rights_before will short-circuit the > decision-making process. The way I see it, "acl_rights_before" are the settings you never want anybody to be able to change, "acl_rights_default" are the settings you normally want applied, and #acl gets added when you need to make a page "abnormal". It all makes sense and works great...when it works. ;) I was able to get a second server set up with a bone stock install of TurnKey Linux MoinMoin (greatest distro ever...took 15 minutes for it to be up and running). Using the default wiki instance, everything works as it should, so there has to be something about the way my wiki instances got migrated over that created this acl issue. Next step will be to try migrating an instance over to this test server to see what happens. That'll be early next week though. Thanks again for all the help, and have a good weekend! Chris _ Chris Freemesser, Systems Administrator University of Rochester Department of Brain and Cognitive Sciences The Center for Visual Science Meliora Hall, Room 255 Phone: (585)275-0786 _ -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140 ___ Moin-user mailing list Moin-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/moin-user
Re: [Moin-user] Wiki server ignoring ACLs *followup*
On Friday 11. March 2016 20.11.57 Chris Freemesser wrote: > On 3/10/16 12:38 PM, Paul Boddie wrote: > > Now, if I understand, what you want to do is to have is administration > > and editing access set in the before rule. For example: > > > > acl_rights_before = u"WikiAdministrator:read,write,delete,revert,admin " > > \ > > > > u"WikiGroup:read,write,delete,revert" > > > > And then you want unidentified users only being able to read pages: > > > > acl_rights_default = u"All:read" > > > > And on pages where such users shouldn't even be able to read the page, > > you would put this: > > > > #acl All: > > > > Or you might even put something else that doesn't even mention "All" or > > "Default". > > > > This seems to work when I test it in a Moin 1.9.7 wiki that I have to > > hand, but I can't see any differences between that and 1.9.8. > > First, thanks very much for taking the time to do the testing and reply...I > greatly appreciate it! These ACLs are making my head spin. ;) That happens to us all. ;-) > What you've mentioned above could be a workaround for the issues I'm > experiencing, though I do have to give the WikiGroup admin rights so they > can create new pages. I tried this out and it seems to be working. OK. > However, the workaround does not allow me to disable WikiGroup's access to > a page. For example, I don't allow them editing rights to the WikiGroup > page itself, but with this workaround, I can't take away the rights. > Adding a #acl line to the page with instructions to remove their access > does nothing. With the rights as described above (in my previous mail), you won't be able to change what WikiGroup can do in a page ACL because acl_rights_before will have decided that already, at least as I understand things. It would be like this... acl_rights_before -> "... WikiGroup:read,write,delete,revert,admin" -> "WikiGroup:read,write,delete,revert,admin" -> "read,write,delete,revert,admin" applies What wouldn't happen is the bit where Moin looks at the page ACL and/or the acl_rights_before setting. I'm not sure if I considered this properly before, but I'm somewhat convinced that this is what happens now: even acl_rights_before will short-circuit the decision-making process. > So, it looks like I need to ultimately get the acl problem solved so it > works as designed. As soon as I can find the time I'm going to set up a > 2nd server from scratch using the same TurnKey Linux MoinMoin distribution > to see if this problem exists out-of-the-box. If it does, then it's an > issue with the distribution, and not a problem with my wiki instances. > I'll do my best to provide updates on my progress. I think that the change I described may have influenced the situation but I haven't really thought too hard about how that has happened. Meanwhile, you could try changing things to this: acl_rights_before = u"WikiAdministrator:read,write,delete,revert,admin " \ u"+WikiGroup:read,write,delete,revert,admin" acl_rights_default = u"+All:read" And then try and change the ACL on the WikiGroup page to... #acl WikiGroup:read If my mental model of the ACL system is correct, WikiGroup should have all the "before" rights, but instead of stopping there, Moin should then look at the page ACL, see that WikiGroup has been given only the "read" right, and then return that single right as its decision. acl_rights_before -> "... WikiGroup:read,write,delete,revert,admin" -> "+WikiGroup:read,write,delete,revert,admin" -> "read,write,delete,revert,admin" apply, but not definitively -> page ACL -> "WikiGroup:read" -> "read" applies, overriding the "+WikiGroup" rights I hope this makes some sense. :-) Paul -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140 ___ Moin-user mailing list Moin-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/moin-user
Re: [Moin-user] Wiki server ignoring ACLs *followup*
On 3/10/16 12:38 PM, Paul Boddie wrote: > Now, if I understand, what you want to do is to have is administration and > editing access set in the before rule. For example: > > acl_rights_before = u"WikiAdministrator:read,write,delete,revert,admin " \ > u"WikiGroup:read,write,delete,revert" > > And then you want unidentified users only being able to read pages: > > acl_rights_default = u"All:read" > > And on pages where such users shouldn't even be able to read the page, you > would put this: > > #acl All: > > Or you might even put something else that doesn't even mention "All" or > "Default". > > This seems to work when I test it in a Moin 1.9.7 wiki that I have to hand, > but I can't see any differences between that and 1.9.8. First, thanks very much for taking the time to do the testing and reply...I greatly appreciate it! These ACLs are making my head spin. ;) What you've mentioned above could be a workaround for the issues I'm experiencing, though I do have to give the WikiGroup admin rights so they can create new pages. I tried this out and it seems to be working. However, the workaround does not allow me to disable WikiGroup's access to a page. For example, I don't allow them editing rights to the WikiGroup page itself, but with this workaround, I can't take away the rights. Adding a #acl line to the page with instructions to remove their access does nothing. So, it looks like I need to ultimately get the acl problem solved so it works as designed. As soon as I can find the time I'm going to set up a 2nd server from scratch using the same TurnKey Linux MoinMoin distribution to see if this problem exists out-of-the-box. If it does, then it's an issue with the distribution, and not a problem with my wiki instances. I'll do my best to provide updates on my progress. Thanks again! Chris _ Chris Freemesser, Systems Administrator University of Rochester Department of Brain and Cognitive Sciences The Center for Visual Science Meliora Hall, Room 255 Phone: (585)275-0786 _ -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140 ___ Moin-user mailing list Moin-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/moin-user
Re: [Moin-user] Wiki server ignoring ACLs *followup*
On 3/10/16 12:38 PM, Paul Boddie wrote: > Now, if I understand, what you want to do is to have is administration and > editing access set in the before rule. For example: > > acl_rights_before = u"WikiAdministrator:read,write,delete,revert,admin " \ > u"WikiGroup:read,write,delete,revert" > > And then you want unidentified users only being able to read pages: > > acl_rights_default = u"All:read" > > And on pages where such users shouldn't even be able to read the page, you > would put this: > > #acl All: > > Or you might even put something else that doesn't even mention "All" or > "Default". > > This seems to work when I test it in a Moin 1.9.7 wiki that I have to hand, > but I can't see any differences between that and 1.9.8. First, thanks very much for taking the time to do the testing and reply...I greatly appreciate it! These ACLs are making my head spin. ;) What you've mentioned above could be a workaround for the issues I'm experiencing, though I do have to give the WikiGroup admin rights so they can create new pages. I tried this out and it seems to be working. However, the workaround does not allow me to disable WikiGroup's access to a page. For example, I don't allow them editing rights to the WikiGroup page itself, but with this workaround, I can't take away the rights. Adding a #acl line to the page with instructions to remove their access does nothing. So, it looks like I need to ultimately get the acl problem solved so it works as designed. As soon as I can find the time I'm going to set up a 2nd server from scratch using the same TurnKey Linux MoinMoin distribution to see if this problem exists out-of-the-box. If it does, then it's an issue with the distribution, and not a problem with my wiki instances. I'll do my best to provide updates on my progress. Thanks again! Chris _ Chris Freemesser, Systems Administrator University of Rochester Department of Brain and Cognitive Sciences The Center for Visual Science Meliora Hall, Room 255 Phone: (585)275-0786 _ -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140 ___ Moin-user mailing list Moin-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/moin-user
Re: [Moin-user] Wiki server ignoring ACLs *followup*
On Thursday 10. March 2016 16.31.39 Chris Freemesser wrote: > On 3/9/16 4:25 PM, Paul Boddie wrote: > > Maybe someone will reply to your mail, but looking at the > > MoinMoin.security module, the acl_rights_default setting does appear to > > be influenced by the cache. Although you've run the maintenance commands > > to clean that, it might still be interesting to try adding the "Default" > > keyword to an explicit ACL, just to see what happens. > > Thank you for the reply and the suggestion. Changing the #acl line to > "Default" does work, but only partially. Note that this was really only for diagnostic purposes. You shouldn't need to apply "Default" explicitly unless there's a page-specific ACL that would make use of it. We're hoping to not have to use it eventually here, but for the moment it helps to rule out certain problems. > If I change the "acl_rights_default" line to this... > > acl_rights_default = u"WikiGroup:read,write,delete,revert,admin All:read" > > ...and set the #acl line to this: > > #acl Default > > Then the rights are properly applied. Also, changes made to the > "acl_rights_default" line work correctly. For example, if I disable read > rights for either "WikiGroup" or "All" in this line, they then can't read > the page. So it looks like the default ACL is being used, at least if it is explicitly set in the page ACL. > However, if I change the #acl line in the page to this: > > #acl Default -All:read > > or > > #acl Default All: > > These changes to All's rights are NOT recognized...they can still read the > page. Similarly, if I give All zero rights in the "acl_rights_default" > line and try to then give them read right in the #acl line, that doesn't > work either. > > However, if I remove "All" from the "acl_rights_default" line completely > and assign rights in the #acl line, that works. The Moin documentation isn't as clear as it should be about all this. With this... acl_rights_default = u"WikiGroup:read,write,delete,revert,admin All:read" #acl Default -All:read ...what the documentation says should happen is that the page ACL is read... "Default -All:read" -> "Default" is found and expanded -> "WikiGroup:read,write,delete,revert,admin All:read" -> "All:read" applies ...and then the result of "read" is returned for the unidentified user. The "- All:read" rule doesn't get considered because a rule has already been found for "All". Giving "All" zero rights (I guess that's "All:") in the acl_rights_default will cause the same thing to happen again. To clarify, we're talking about this... acl_rights_default = u"WikiGroup:read,write,delete,revert,admin All:" #acl Default +All:read Here's what happens: "Default +All:read" -> "Default" is found and expanded -> "WikiGroup:read,write,delete,revert,admin All:" -> "All:" applies ...and no rights are granted. Again, any following "+All:read" won't get considered. However, you may have better luck with something like this: acl_rights_default = u"WikiGroup:read,write,delete,revert,admin All:" #acl +All:read Default This should have the "+All:read" rule considered before the default, and the "All:" rule will not revoke the added "read" right. Of course, all of this involves use of the default rules and page ACLs, but it looks as if we really want to avoid this approach and to use the default rules as much as possible, saving the page ACLs for specific cases. Now, if I understand, what you want to do is to have is administration and editing access set in the before rule. For example: acl_rights_before = u"WikiAdministrator:read,write,delete,revert,admin " \ u"WikiGroup:read,write,delete,revert" And then you want unidentified users only being able to read pages: acl_rights_default = u"All:read" And on pages where such users shouldn't even be able to read the page, you would put this: #acl All: Or you might even put something else that doesn't even mention "All" or "Default". This seems to work when I test it in a Moin 1.9.7 wiki that I have to hand, but I can't see any differences between that and 1.9.8. > > Also, I'd be tempted to add some debugging statements to the > > AccessControlList.may method; something like... > > > > print >>open("/tmp/debug.txt", "a"), repr(acl) > > > > ...after the acl variable has been initialised. If anything, it would > > help check the data involved. > > I have to admit that my programming skills are essentially non-existent. > If what you suggest requires me to edit a specific file and add that line, > I'm afraid I need more explicit instructions as to which file this is. Sorry, I probably shouldn't have assumed familiarity with the code, here. To save you the bother, I've been doing the same thing myself on a wiki that should be using the same code in this area. What did intrigue me was why you should experience a difference in behaviour between 1.9.3 and 1.9.8. There was a significant change that might have made a
Re: [Moin-user] Wiki server ignoring ACLs *followup*
On 3/9/16 4:25 PM, Paul Boddie wrote: > Maybe someone will reply to your mail, but looking at the MoinMoin.security > module, the acl_rights_default setting does appear to be influenced by the > cache. Although you've run the maintenance commands to clean that, it might > still be interesting to try adding the "Default" keyword to an explicit ACL, > just to see what happens. Thank you for the reply and the suggestion. Changing the #acl line to "Default" does work, but only partially. If I change the "acl_rights_default" line to this... acl_rights_default = u"WikiGroup:read,write,delete,revert,admin All:read" ...and set the #acl line to this: #acl Default Then the rights are properly applied. Also, changes made to the "acl_rights_default" line work correctly. For example, if I disable read rights for either "WikiGroup" or "All" in this line, they then can't read the page. However, if I change the #acl line in the page to this: #acl Default -All:read or #acl Default All: These changes to All's rights are NOT recognized...they can still read the page. Similarly, if I give All zero rights in the "acl_rights_default" line and try to then give them read right in the #acl line, that doesn't work either. However, if I remove "All" from the "acl_rights_default" line completely and assign rights in the #acl line, that works. > Also, I'd be tempted to add some debugging statements to the > AccessControlList.may method; something like... > > print >>open("/tmp/debug.txt", "a"), repr(acl) > > ...after the acl variable has been initialised. If anything, it would help > check the data involved. I have to admit that my programming skills are essentially non-existent. If what you suggest requires me to edit a specific file and add that line, I'm afraid I need more explicit instructions as to which file this is. > The one thing that came to mind was the page_group_regex setting, which should > be set to a sensible default. I presume that the format of your group pages is > still correct, too. I've not changed the "page_group_regex" line in the wiki's config.py file from its default, and the WikiGroup page was not changed at all (worked fine on the old server). I did try creating a different Group page, but it didn't make a difference. Thanks, Chris _ Chris Freemesser, Systems Administrator University of Rochester Department of Brain and Cognitive Sciences The Center for Visual Science Meliora Hall, Room 255 Phone: (585)275-0786 _ -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140 ___ Moin-user mailing list Moin-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/moin-user
Re: [Moin-user] Wiki server ignoring ACLs *followup*
On Wednesday 9. March 2016 21.46.08 Chris Freemesser wrote: > > If I add *anything* or *anybody* to the "acl_rights_default" line in the > config file, *none* of the rights are recognized by the wiki pages. > > So, the "acl_rights_default" line doesn't work at all. Maybe someone will reply to your mail, but looking at the MoinMoin.security module, the acl_rights_default setting does appear to be influenced by the cache. Although you've run the maintenance commands to clean that, it might still be interesting to try adding the "Default" keyword to an explicit ACL, just to see what happens. Also, I'd be tempted to add some debugging statements to the AccessControlList.may method; something like... print >>open("/tmp/debug.txt", "a"), repr(acl) ...after the acl variable has been initialised. If anything, it would help check the data involved. > For the next test, I added WikiAdministrator to the "acl_rights_before" > line, and commented out the "acl_rights_default" line. > > I then add an #acl line on a wiki page. If I set the line to "All:" or > "All:read", both settings function as intended. > > If I add WikiUser to the #acl line, any rights I give that user (read, > write, etc.) function as intended. > > However, if I change the #acl line to only include WikiGroup, any rights > assigned to WikiGroup are ignored. > > So, the rights assigned via the #acl line work only for ALL or a USER, not > for a GROUP. > > Any thoughts as to why this may be happening? The one thing that came to mind was the page_group_regex setting, which should be set to a sensible default. I presume that the format of your group pages is still correct, too. Again, some tracing in the AccessControlList.may method might indicate whether the groups are being recognised... print >>open("/tmp/debug.txt", "a"), repr(groups) ...and so on. Unfortunately, Moin isn't the friendliest thing to interactively test, just to see if the basics are functioning, but printing stuff out to a temporary file and seeing what is happening tends to provide a few answers. Paul -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140 ___ Moin-user mailing list Moin-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/moin-user