Re: [xwiki-users] grant rights to a specific user
Ecaterina Moraru (Valica) wrote:
On Tue, Dec 7, 2010 at 01:32, Ricardo Rodriguez [eBioTIC.]
ricardo.rodrig...@ebiotic.net wrote:
Ecaterina Moraru (Valica) wrote:
Hi,
The behavior is correct because the checking order is: page space
wiki
(where a space-level setting can be superseded by a (higher ranking)
page-level setting)
That's OK but, as Wouter said, if the data model implements
real-inheritance, must not I expect that the rights explicitly granted
at space level are considered also as explicitly granted at document
level as a consequence of rights inheritance?
yes, but if you define a harder rule at page level, the space level one will
be overlapsed by the new rule.
Thanks,
Caty
I get your point. thanks. But I think it keep being counter-intuitive
for me that once I grant some rights on a page to a group, the fact of
explicitly adding some user (belonging or not to the previous group)
rights to the same page prevents members of the original granted group,
included the owner, to access the document.
Thanks!
The only exception I can think off that would help your usecase (but is
not
implemented) is to have additional special rights for the document
Creator.
Right now the creator gets DELETE right as an additional behavior. Maybe
we
should always grant VIEW and EDIT to the creator.
This way, at least, he could fix the rights behavior (by giving rights
also
to GroupA).
Another thing that is missing is a warning that by giving that right, the
giver will lose it.
If you want to read more about rights:
- http://www.xwiki.org/xwiki/bin/view/FAQ/HowDoesRightsWork
- http://dev.xwiki.org/xwiki/bin/view/Drafts/Access%20Rights
- http://dev.xwiki.org/xwiki/bin/view/Drafts/XWikiRightServiceReversed
Thanks,
Caty
On Fri, Nov 19, 2010 at 18:53, Wouter Boasson wouter.boas...@rivm.nl
wrote:
Hi,
We ran into a rights problem, which might be the result of ignorance,
but
could also be caused by a perceptual omission in the rights model. The
following happened:
1. created space, with explicit rights on group 'GroupA' (this
automatically locks out users who are not a member of this group) = ok
2. create/edit a page as user 'UserA', member of 'GroupA' = ok
3. UserA (owner/creator of the document) grants view rights to user
'UserB', NOT in GroupA = problems!
Now the creator/owner of the document (UserA) can NOT view his own
document
anymore! Same for problem for every other user in 'GroupA'.
I figured that this is correct from a certain point of view: an explicit
view for a specific user locks out all other users, but that includes
the
owner and all other users, including those in 'GroupA', with correct
rights
at the space level.
A possible solution is to grant GroupA explicitly at the same time you
grant a specific user access to a certain page, but people will forget
to do
so.
My question is: did we do anything wrong, and is it possible to manage
the
rights in a way that prevents this counter-intuitive behaviour?
I have the feeling that the rights model lacks real-inheritance: when
checking permissions for a user, it should return the permissions
including
that of the group as if it were his explicit permissions, also for pages
that inherit rights from the space. E.g.
hasView('UserA') should always return 'True' when the group he belongs
to
has view rights at the space level.
Now it apparently returns 'False' when there is an implicit override by
granting a user view rights. Or does inheritance from the space levels
stops
working as soon as there's any kind of override on a specific page?
A possible but crude work-around could be using some intelligent trigger
functions in the database to explicitly add all rights from the space to
the
specific document as soon as an XWikiRights object is written, but
that's
kind of a last resort.
Could you help me? I hope for a better solution!
Thanks,
Wouter
Wouter Boasson (MSc)
Geo-IT Research and Coordination
RIVM - National Institute for Public Health and the Environment
Expertise Centre for Methodology and Information Services
Contact information
---
RIVM
VenZ/EMI, Pb 86
t.a.v. dhr. Drs. Wouter Boasson
Postbus 1
3720 BA Bilthoven
T +31(0)302748518
F +31(0)302744456
E wouter.boas...@rivm.nl
mo - th
Disclaimer RIVM
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Ricardo Rodríguez
CTO
eBioTIC.
Life
Re: [xwiki-users] grant rights to a specific user
Ecaterina Moraru (Valica) wrote:
Hi,
The behavior is correct because the checking order is: page space wiki
(where a space-level setting can be superseded by a (higher ranking)
page-level setting)
That's OK but, as Wouter said, if the data model implements
real-inheritance, must not I expect that the rights explicitly granted
at space level are considered also as explicitly granted at document
level as a consequence of rights inheritance?
Thanks!
The only exception I can think off that would help your usecase (but is not
implemented) is to have additional special rights for the document Creator.
Right now the creator gets DELETE right as an additional behavior. Maybe we
should always grant VIEW and EDIT to the creator.
This way, at least, he could fix the rights behavior (by giving rights also
to GroupA).
Another thing that is missing is a warning that by giving that right, the
giver will lose it.
If you want to read more about rights:
- http://www.xwiki.org/xwiki/bin/view/FAQ/HowDoesRightsWork
- http://dev.xwiki.org/xwiki/bin/view/Drafts/Access%20Rights
- http://dev.xwiki.org/xwiki/bin/view/Drafts/XWikiRightServiceReversed
Thanks,
Caty
On Fri, Nov 19, 2010 at 18:53, Wouter Boasson wouter.boas...@rivm.nlwrote:
Hi,
We ran into a rights problem, which might be the result of ignorance, but
could also be caused by a perceptual omission in the rights model. The
following happened:
1. created space, with explicit rights on group 'GroupA' (this
automatically locks out users who are not a member of this group) = ok
2. create/edit a page as user 'UserA', member of 'GroupA' = ok
3. UserA (owner/creator of the document) grants view rights to user
'UserB', NOT in GroupA = problems!
Now the creator/owner of the document (UserA) can NOT view his own document
anymore! Same for problem for every other user in 'GroupA'.
I figured that this is correct from a certain point of view: an explicit
view for a specific user locks out all other users, but that includes the
owner and all other users, including those in 'GroupA', with correct rights
at the space level.
A possible solution is to grant GroupA explicitly at the same time you
grant a specific user access to a certain page, but people will forget to do
so.
My question is: did we do anything wrong, and is it possible to manage the
rights in a way that prevents this counter-intuitive behaviour?
I have the feeling that the rights model lacks real-inheritance: when
checking permissions for a user, it should return the permissions including
that of the group as if it were his explicit permissions, also for pages
that inherit rights from the space. E.g.
hasView('UserA') should always return 'True' when the group he belongs to
has view rights at the space level.
Now it apparently returns 'False' when there is an implicit override by
granting a user view rights. Or does inheritance from the space levels stops
working as soon as there's any kind of override on a specific page?
A possible but crude work-around could be using some intelligent trigger
functions in the database to explicitly add all rights from the space to the
specific document as soon as an XWikiRights object is written, but that's
kind of a last resort.
Could you help me? I hope for a better solution!
Thanks,
Wouter
Wouter Boasson (MSc)
Geo-IT Research and Coordination
RIVM - National Institute for Public Health and the Environment
Expertise Centre for Methodology and Information Services
Contact information
---
RIVM
VenZ/EMI, Pb 86
t.a.v. dhr. Drs. Wouter Boasson
Postbus 1
3720 BA Bilthoven
T +31(0)302748518
F +31(0)302744456
E wouter.boas...@rivm.nl
mo - th
Disclaimer RIVM
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Ricardo Rodríguez
CTO
eBioTIC.
Life Sciences, Data Modeling and Information Management Systems
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] grant rights to a specific user
On Tue, Dec 7, 2010 at 01:32, Ricardo Rodriguez [eBioTIC.]
ricardo.rodrig...@ebiotic.net wrote:
Ecaterina Moraru (Valica) wrote:
Hi,
The behavior is correct because the checking order is: page space
wiki
(where a space-level setting can be superseded by a (higher ranking)
page-level setting)
That's OK but, as Wouter said, if the data model implements
real-inheritance, must not I expect that the rights explicitly granted
at space level are considered also as explicitly granted at document
level as a consequence of rights inheritance?
yes, but if you define a harder rule at page level, the space level one will
be overlapsed by the new rule.
Thanks,
Caty
Thanks!
The only exception I can think off that would help your usecase (but is
not
implemented) is to have additional special rights for the document
Creator.
Right now the creator gets DELETE right as an additional behavior. Maybe
we
should always grant VIEW and EDIT to the creator.
This way, at least, he could fix the rights behavior (by giving rights
also
to GroupA).
Another thing that is missing is a warning that by giving that right, the
giver will lose it.
If you want to read more about rights:
- http://www.xwiki.org/xwiki/bin/view/FAQ/HowDoesRightsWork
- http://dev.xwiki.org/xwiki/bin/view/Drafts/Access%20Rights
- http://dev.xwiki.org/xwiki/bin/view/Drafts/XWikiRightServiceReversed
Thanks,
Caty
On Fri, Nov 19, 2010 at 18:53, Wouter Boasson wouter.boas...@rivm.nl
wrote:
Hi,
We ran into a rights problem, which might be the result of ignorance,
but
could also be caused by a perceptual omission in the rights model. The
following happened:
1. created space, with explicit rights on group 'GroupA' (this
automatically locks out users who are not a member of this group) = ok
2. create/edit a page as user 'UserA', member of 'GroupA' = ok
3. UserA (owner/creator of the document) grants view rights to user
'UserB', NOT in GroupA = problems!
Now the creator/owner of the document (UserA) can NOT view his own
document
anymore! Same for problem for every other user in 'GroupA'.
I figured that this is correct from a certain point of view: an explicit
view for a specific user locks out all other users, but that includes
the
owner and all other users, including those in 'GroupA', with correct
rights
at the space level.
A possible solution is to grant GroupA explicitly at the same time you
grant a specific user access to a certain page, but people will forget
to do
so.
My question is: did we do anything wrong, and is it possible to manage
the
rights in a way that prevents this counter-intuitive behaviour?
I have the feeling that the rights model lacks real-inheritance: when
checking permissions for a user, it should return the permissions
including
that of the group as if it were his explicit permissions, also for pages
that inherit rights from the space. E.g.
hasView('UserA') should always return 'True' when the group he belongs
to
has view rights at the space level.
Now it apparently returns 'False' when there is an implicit override by
granting a user view rights. Or does inheritance from the space levels
stops
working as soon as there's any kind of override on a specific page?
A possible but crude work-around could be using some intelligent trigger
functions in the database to explicitly add all rights from the space to
the
specific document as soon as an XWikiRights object is written, but
that's
kind of a last resort.
Could you help me? I hope for a better solution!
Thanks,
Wouter
Wouter Boasson (MSc)
Geo-IT Research and Coordination
RIVM - National Institute for Public Health and the Environment
Expertise Centre for Methodology and Information Services
Contact information
---
RIVM
VenZ/EMI, Pb 86
t.a.v. dhr. Drs. Wouter Boasson
Postbus 1
3720 BA Bilthoven
T +31(0)302748518
F +31(0)302744456
E wouter.boas...@rivm.nl
mo - th
Disclaimer RIVM
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Ricardo Rodríguez
CTO
eBioTIC.
Life Sciences, Data Modeling and Information Management Systems
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] grant rights to a specific user
Hi,
The behavior is correct because the checking order is: page space wiki
(where a space-level setting can be superseded by a (higher ranking)
page-level setting)
The only exception I can think off that would help your usecase (but is not
implemented) is to have additional special rights for the document Creator.
Right now the creator gets DELETE right as an additional behavior. Maybe we
should always grant VIEW and EDIT to the creator.
This way, at least, he could fix the rights behavior (by giving rights also
to GroupA).
Another thing that is missing is a warning that by giving that right, the
giver will lose it.
If you want to read more about rights:
- http://www.xwiki.org/xwiki/bin/view/FAQ/HowDoesRightsWork
- http://dev.xwiki.org/xwiki/bin/view/Drafts/Access%20Rights
- http://dev.xwiki.org/xwiki/bin/view/Drafts/XWikiRightServiceReversed
Thanks,
Caty
On Fri, Nov 19, 2010 at 18:53, Wouter Boasson wouter.boas...@rivm.nlwrote:
Hi,
We ran into a rights problem, which might be the result of ignorance, but
could also be caused by a perceptual omission in the rights model. The
following happened:
1. created space, with explicit rights on group 'GroupA' (this
automatically locks out users who are not a member of this group) = ok
2. create/edit a page as user 'UserA', member of 'GroupA' = ok
3. UserA (owner/creator of the document) grants view rights to user
'UserB', NOT in GroupA = problems!
Now the creator/owner of the document (UserA) can NOT view his own document
anymore! Same for problem for every other user in 'GroupA'.
I figured that this is correct from a certain point of view: an explicit
view for a specific user locks out all other users, but that includes the
owner and all other users, including those in 'GroupA', with correct rights
at the space level.
A possible solution is to grant GroupA explicitly at the same time you
grant a specific user access to a certain page, but people will forget to do
so.
My question is: did we do anything wrong, and is it possible to manage the
rights in a way that prevents this counter-intuitive behaviour?
I have the feeling that the rights model lacks real-inheritance: when
checking permissions for a user, it should return the permissions including
that of the group as if it were his explicit permissions, also for pages
that inherit rights from the space. E.g.
hasView('UserA') should always return 'True' when the group he belongs to
has view rights at the space level.
Now it apparently returns 'False' when there is an implicit override by
granting a user view rights. Or does inheritance from the space levels stops
working as soon as there's any kind of override on a specific page?
A possible but crude work-around could be using some intelligent trigger
functions in the database to explicitly add all rights from the space to the
specific document as soon as an XWikiRights object is written, but that's
kind of a last resort.
Could you help me? I hope for a better solution!
Thanks,
Wouter
Wouter Boasson (MSc)
Geo-IT Research and Coordination
RIVM - National Institute for Public Health and the Environment
Expertise Centre for Methodology and Information Services
Contact information
---
RIVM
VenZ/EMI, Pb 86
t.a.v. dhr. Drs. Wouter Boasson
Postbus 1
3720 BA Bilthoven
T +31(0)302748518
F +31(0)302744456
E wouter.boas...@rivm.nl
mo - th
Disclaimer RIVM
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
[xwiki-users] grant rights to a specific user
Hi,
We ran into a rights problem, which might be the result of ignorance, but could
also be caused by a perceptual omission in the rights model. The following
happened:
1. created space, with explicit rights on group 'GroupA' (this automatically
locks out users who are not a member of this group) = ok
2. create/edit a page as user 'UserA', member of 'GroupA' = ok
3. UserA (owner/creator of the document) grants view rights to user 'UserB',
NOT in GroupA = problems!
Now the creator/owner of the document (UserA) can NOT view his own document
anymore! Same for problem for every other user in 'GroupA'.
I figured that this is correct from a certain point of view: an explicit view
for a specific user locks out all other users, but that includes the owner and
all other users, including those in 'GroupA', with correct rights at the space
level.
A possible solution is to grant GroupA explicitly at the same time you grant a
specific user access to a certain page, but people will forget to do so.
My question is: did we do anything wrong, and is it possible to manage the
rights in a way that prevents this counter-intuitive behaviour?
I have the feeling that the rights model lacks real-inheritance: when checking
permissions for a user, it should return the permissions including that of the
group as if it were his explicit permissions, also for pages that inherit
rights from the space. E.g.
hasView('UserA') should always return 'True' when the group he belongs to has
view rights at the space level.
Now it apparently returns 'False' when there is an implicit override by
granting a user view rights. Or does inheritance from the space levels stops
working as soon as there's any kind of override on a specific page?
A possible but crude work-around could be using some intelligent trigger
functions in the database to explicitly add all rights from the space to the
specific document as soon as an XWikiRights object is written, but that's kind
of a last resort.
Could you help me? I hope for a better solution!
Thanks,
Wouter
Wouter Boasson (MSc)
Geo-IT Research and Coordination
RIVM - National Institute for Public Health and the Environment
Expertise Centre for Methodology and Information Services
Contact information
---
RIVM
VenZ/EMI, Pb 86
t.a.v. dhr. Drs. Wouter Boasson
Postbus 1
3720 BA Bilthoven
T +31(0)302748518
F +31(0)302744456
E wouter.boas...@rivm.nl
mo - th
Disclaimer RIVM
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
