Hi Gary,
that's weird, before writting previous e-mail I double checked the
suggested approach using the following unit test
@Test
public void testAttachmentAcl() throws Exception {
m_engine.saveText( "TestDefaultPage", "Foo" );
final Attachment att = Wiki.contents().attachment( m_engine,
"TestDefaultPage", "TestAtt.txt" );
att.setAuthor( "FirstPost" );
m_engine.getManager( AttachmentManager.class ).storeAttachment(
att, m_engine.makeAttachmentFile() );
final Permission view = PermissionFactory.getPagePermission(
"*:TestDefaultPage/TestAtt.txt", "view" );
final Permission edit = PermissionFactory.getPagePermission(
"*:TestDefaultPage/TestAtt.txt", "edit" );
final Session session = WikiSessionTest.anonymousSession( m_engine );
Assertions.assertTrue( m_auth.checkPermission( session, view ),
"anonymous view" );
Assertions.assertTrue( m_auth.checkPermission( session, edit ),
"anonymous edit" );
}
and it passes for each of the following permissions on the policy file
grant principal org.apache.wiki.auth.authorize.Role "Anonymous" {
//permission org.apache.wiki.auth.permissions.PagePermission "*:*", "edit";
//permission org.apache.wiki.auth.permissions.PagePermission
"*:TestDefaultPage", "edit";
permission org.apache.wiki.auth.permissions.PagePermission
"*:TestDefaultPage/TestAtt.txt", "edit";
};
(same for view permissions on the policy file except for the test's last
assertion) Said that, I misunderstood your original e-mail, I was thinking
that anonymous
users weren't allowed to see (not edit) the wiki. Your policy file should
be enough to allow http://mysite.org/attach/LeftMenu/mylogo.png for
anonymous
users. Does the log show something unsual while accessing/requesting that
file? Would you mind setting the log level to debug to see if anything else
pops up?
I'm preparing the release for 2.11.0-M8 in a while, but will have a closer
look at this after that.
best regards,
juan pablo
On Tue, Dec 8, 2020 at 1:23 AM Gary Kephart <gary_keph...@pobox.com> wrote:
> Juan Pablo,
>
> Thanks for responding. I tried your suggestion but it's still not
> working. Below is my complete jspwiki.policy.
>
> Thanks,
> Gary
>
> grant principal org.apache.wiki.auth.authorize.Role "All" {
> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> "view";
> permission org.apache.wiki.auth.permissions.PagePermission
> "*:LeftMenu/mylogo.png", "view";
> permission org.apache.wiki.auth.permissions.WikiPermission "*",
> "editPreferences";
> permission org.apache.wiki.auth.permissions.WikiPermission "*",
> "editProfile";
> permission org.apache.wiki.auth.permissions.WikiPermission "*",
> "login";
> };
>
>
> // read-only for Anonymous users
> grant principal org.apache.wiki.auth.authorize.Role "Anonymous" {
> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> "view";
> };
>
>
> // read-only for Asserted users
> grant principal org.apache.wiki.auth.authorize.Role "Asserted" {
> } permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> "view";
> ;
>
>
> // read-only for Authenticated users
> grant principal org.apache.wiki.auth.authorize.Role "Authenticated" {
> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> "view";
> };
>
>
> // Members of the group "RegisteredUsers" can create, edit and rename
> pages.
> // They can also view all the groups.
> grant principal org.apache.wiki.auth.GroupPrincipal "RegisteredUsers" {
> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> "modify,rename";
> permission org.apache.wiki.auth.permissions.GroupPermission "*:*",
> "view";
> permission org.apache.wiki.auth.permissions.GroupPermission
> "*:<groupmember>", "edit";
> permission org.apache.wiki.auth.permissions.WikiPermission "*",
> "createPages,createGroups";
> };
>
>
> grant principal org.apache.wiki.auth.GroupPrincipal "Admin" {
> permission org.apache.wiki.auth.permissions.AllPermission "*";
> };
> grant principal org.apache.wiki.auth.authorize.Role "Admin" {
> permission org.apache.wiki.auth.permissions.AllPermission "*";
> };
>
>
> On 12/7/2020 6:00 AM, Juan Pablo Santos Rodríguez wrote:
> > Hi Gary,
> >
> > inside JSPWiki, Attachments are considered a special type of Pages, so
> the
> > same policy rules & syntax should apply. In this case, the following
> > permission inside the anonymous role block should be enough:
> >
> > permission org.apache.wiki.auth.permissions.PagePermission
> > "*:LeftMenu/mylogo.png", "view";
> >
> > Also, LeftMenu usually is a page that should be shown to all users, so
> the
> > following permission, also inside the anonymous role block, should also
> do
> > the trick and allow anonymous view on both Page and Attachment:
> >
> > permission org.apache.wiki.auth.permissions.PagePermission "*:LeftMenu",
> > "view";
> >
> >
> > HTH,
> > juan pablo
> >
> > On Sat, Dec 5, 2020 at 6:20 PM Gary Kephart <gary_keph...@pobox.com>
> wrote:
> >
> >> I have a site that I've set up as read-only except for users who are in
> >> a particular group. For the most part, that works well. What doesn't
> >> seem to work is showing the site logo to users who are not logged in.
> >> When I try to directly access
> >> http://mysite.org/attach/LeftMenu/mylogo.png when logged off, I get the
> >> Forbidden page, where it mentions "It is also possible that JSPWiki
> >> cannot find its security policy, or that the policy is not configured
> >> correctly. Either of these cases would cause JSPWiki to block access,
> too."
> >>
> >> Is attachment policy different than page policy? Do you have to be able
> >> to modify a page in order to view an attachment? What do I need to do to
> >> fix this? I've read
> >> https://jspwiki-wiki.apache.org/Wiki.jsp?page=Wiki.Admin.Security and
> >> don't see anything there that addresses this specifically.
> >>
> >> Thanks,
> >> Gary
> >>
>
>
