Small typo: The check is made on whether the page that holds the groovy script was saved *BY* *AN USER* *WHO HAS* programming rights.
Guillaume On Thu, Jun 11, 2009 at 8:35 PM, Guillaume Lerouge <[email protected]>wrote: > Hi Dean, > > On Thu, Jun 11, 2009 at 7:49 PM, Dean G Weber > <[email protected]>wrote: > >> I've been struggling for a while with the dilemma of getting a user into a >> group. Let me supply some background on what we've been trying to do with >> Xwiki. >> >> We're trying to use Xwiki for an internal collaborative site. Management >> has decided that users of the wiki must complete proper training. Without >> the training, the user cannot add to the wiki pages. >> >> For authentication, we've connected the wiki to our LDAP server via the >> xwik.cfg file. Authenticated users are automatically placed into the >> XWikiAllGroup by default. In order to accommodate management >> requirements, I created a new user group... let's call it >> "TrainedUsersGroup". >> >> Once authenticated, users are placed into the Webhome page of the wiki. >> I've placed Velocity script on the Webhome page to check if the user is in >> the TrainedUsersGroup. If the user is not in the group, the user is >> redirected to the NoAccess.WebHome page. >> >> On the NoAccess.Webhome page another check is made to determine if the >> user is in the TrainedUsersGroup. If the user is not in the group, a call >> is made to a Groovy class (on another page in the Groovy namespace). The >> groovy code executes a system call to grep on the Linux system running the >> Xwiki against a CSV file pulled from an intranet web report. The passed >> user's login (which is the same as the LDAP user id) is checked against >> this file. If the returned grep output shows that the training has been >> completed, the NoAccess.WebHome page will attempt to add the user to the >> TrainedUsersGroup. If the user is added to the TrainedUsersGroup as >> determined after another check, the user is redirected back to the >> originating WebHome page. >> >> This mechanism works great if the user accessing the pages is an admin. >> However, if the user is a regular user everything except the addition to >> the group works. Instead, the code to place the user in the group displays >> on the page. It does not run and put the user into the TrainedUsersGroup. >> This is no good for our needs in which we must restrict Xwiki access for >> non-trained users. >> > > "Instead, the code to place the user in the group displays > on the page." > > *-> question:* does the wiki receive the grep output in all cases? Can you > get the output printed on the screen even if the context user isn't an > admin? If not, the problem arises earlier and you'd need to identify exactly > where it comes from. > > *-> observation:* this issue is typical of lacking programming rights. > Programming rights are different from other rights in that the check is not > made on whether the current user has programming rights. The check is made > on whether the page that holds the groovy script was saved with someone > holding programming rights. This is why the check you're doing against the > visiting user doesn't work. > > Programming rights work this way in order to prevent a non-authorized > person to create and execute a privileged script. Therefore what matters is > the state of the page holding your script at the point when it is being > called. What is somehow happening is that the system thinks the page holding > the script has been saved by the current user at some point and thus > displays its literal content instead of running the code. > > Thus you may want to check whether your application makes XWiki think that > the context user is the one who saved the groovy page. You need to make sure > that XWiki doesn't think that the NoAccess.WebHome page holding your second > script has been saved by the current user. Check for occurences of > $doc.save() (velocity) or doc.save() (groovy) in your code and make sure > that XWiki thinks the user performing the action is an user with programming > rights. > > I'm not a developer so I can't do much more for you here, hope it makes > things a bit clearer though. Good luck! > > (My original goal was to connect to our Oracle database and based upon the >> user id determine directly if the user has completed the training. I've >> had luck with a simple Groovy script running on my desktop and on the >> Linux server. However, from within the Xwiki Groovy console or on a page, >> I get no output. Therefore, I have abandoned the Oracle query check via >> Groovy.) >> >> I've been researching the Xwiki user list for weeks. I've poured over >> xwiki documentation. I've peeked at wiki page source. I've done all this >> in an attempt to figure out how to get a user to place himself into a >> group. I've found a lot of confusing and contradicting information. >> Programming rights are mentioned. The only place I found the ability to >> set this right was in the xwiki administration. I can't determine if the >> problem is even related to programming rights. I've put a debug statement >> on the NoAccess.WebHome page to print whether the user visiting the page >> has programming rights. In all cases it display that they do. Yet, only >> admins can add themselves to the TrainedUsersGroup. This doesn't work for >> me. I need to automatically add the visiting user to the TrainedUsersGroup >> once the training has been validated. > > > Btw, I'm really sorry about you experiencing this frustrating experience. > Hope this email will help a bit. > > *-> shameless plug:* XWiki SAS (www.xwiki.com) offers development support > services to help you when faced with such hurdles. I'm aware you might not > be in a position where you can consider this offer, but you'd have the > guarantee of getting an appropriate answer in a short timeframe (vs > community support, although it's usually pretty fast on these lists) plus > it's a great way to help the development of the XWiki project if you like > the product + well, it would have saved you days and effort thus making save > money in the end ;-) > > >> What is the problem? Why won't the user go into the group? Is there a >> better way of doing this? Any help, code snippets or suggestions would be >> appreciated. > > Thanks. >> Dean Weber >> Sr Software Engineer II >> Raytheon Technical Services Company LLC >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/users >> > > > Guillaume > > -- > Guillaume Lerouge > Product Manager - XWiki > Skype: wikibc > Twitter: glerouge > http://guillaumelerouge.com/ > -- Guillaume Lerouge Product Manager - XWiki Skype: wikibc Twitter: glerouge http://guillaumelerouge.com/ _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
