> > Small typo: > The check is made on whether the page that holds the groovy script was saved > *BY* *AN USER* *WHO HAS* programming rights. > > Guillaume >
The page that contains the Groovy script was create by me, (admin), and it executes without a problem. It returns the expected results. It is not the issue. > On Thu, Jun 11, 2009 at 8:35 PM, Guillaume Lerouge <guilla...@xwiki.com>wrote: > > Hi Dean, > > On Thu, Jun 11, 2009 at 7:49 PM, Dean G Weber <dean.g.we...@raytheon.com>wrote: > >> I've been struggling for a while with the dilemma of getting a user into a >> group. Let me supply some background on what we've been trying to do with >> Xwiki. >> >> We're trying to use Xwiki for an internal collaborative site. Management >> has decided that users of the wiki must complete proper training. Without >> the training, the user cannot add to the wiki pages. >> >> For authentication, we've connected the wiki to our LDAP server via the >> xwik.cfg file. Authenticated users are automatically placed into the >> XWikiAllGroup by default. In order to accommodate management >> requirements, I created a new user group... let's call it >> "TrainedUsersGroup". >> >> Once authenticated, users are placed into the Webhome page of the wiki. >> I've placed Velocity script on the Webhome page to check if the user is in >> the TrainedUsersGroup. If the user is not in the group, the user is >> redirected to the NoAccess.WebHome page. >> >> On the NoAccess.Webhome page another check is made to determine if the >> user is in the TrainedUsersGroup. If the user is not in the group, a call >> is made to a Groovy class (on another page in the Groovy namespace). The >> groovy code executes a system call to grep on the Linux system running the >> Xwiki against a CSV file pulled from an intranet web report. The passed >> user's login (which is the same as the LDAP user id) is checked against >> this file. If the returned grep output shows that the training has been >> completed, the NoAccess.WebHome page will attempt to add the user to the >> TrainedUsersGroup. If the user is added to the TrainedUsersGroup as >> determined after another check, the user is redirected back to the >> originating WebHome page. >> >> This mechanism works great if the user accessing the pages is an admin. >> However, if the user is a regular user everything except the addition to >> the group works. Instead, the code to place the user in the group displays >> on the page. It does not run and put the user into the TrainedUsersGroup. >> This is no good for our needs in which we must restrict Xwiki access for >> non-trained users. >> > > "Instead, the code to place the user in the group displays > on the page." > > *-> question:* does the wiki receive the grep output in all cases? Can you > get the output printed on the screen even if the context user isn't an > admin? If not, the problem arises earlier and you'd need to identify exactly > where it comes from. > The grep output is received as expected. The Groovy code returns a result that is correct. The Groovy script is working fine and is not the problem. The variable $completed_training is set to the strings "true" or "false" output from the Groovy code in the proper manner. I've displayed these in debugging code to the screen. > *-> observation:* this issue is typical of lacking programming rights. > Programming rights are different from other rights in that the check is not > made on whether the current user has programming rights. The check is made > on whether the page that holds the groovy script was saved with someone > holding programming rights. This is why the check you're doing against the > visiting user doesn't work. > > Programming rights work this way in order to prevent a non-authorized > person to create and execute a privileged script. Therefore what matters is > the state of the page holding your script at the point when it is being > called. What is somehow happening is that the system thinks the page holding > the script has been saved by the current user at some point and thus > displays its literal content instead of running the code. > I don't understand this. I am admin and I have edited the page. The users have been restricted and not granted edit rights to the page. It is not possible for system to think the page has been saved by the current user. A search on the page shows the last modified was me. > Thus you may want to check whether your application makes XWiki think that > the context user is the one who saved the groovy page. You need to make sure > that XWiki doesn't think that the NoAccess.WebHome page holding your second > script has been saved by the current user. Check for occurences of > $doc.save() (velocity) or doc.save() (groovy) in your code and make sure > that XWiki thinks the user performing the action is an user with programming > rights. > The Groovy page is not the problem. The NoAccess.WebHome page has been shown to be saved by the admin, me. I have even set programming rights for all users to eliminate the potential or problems. > I'm not a developer so I can't do much more for you here, hope it makes > things a bit clearer though. Good luck! > > (My original goal was to connect to our Oracle database and based upon the >> user id determine directly if the user has completed the training. I've >> had luck with a simple Groovy script running on my desktop and on the >> Linux server. However, from within the Xwiki Groovy console or on a page, >> I get no output. Therefore, I have abandoned the Oracle query check via >> Groovy.) >> >> I've been researching the Xwiki user list for weeks. I've poured over >> xwiki documentation. I've peeked at wiki page source. I've done all this >> in an attempt to figure out how to get a user to place himself into a >> group. I've found a lot of confusing and contradicting information. >> Programming rights are mentioned. The only place I found the ability to >> set this right was in the xwiki administration. I can't determine if the >> problem is even related to programming rights. I've put a debug statement >> on the NoAccess.WebHome page to print whether the user visiting the page >> has programming rights. In all cases it display that they do. Yet, only >> admins can add themselves to the TrainedUsersGroup. This doesn't work for >> me. I need to automatically add the visiting user to the TrainedUsersGroup >> once the training has been validated. > > > Btw, I'm really sorry about you experiencing this frustrating experience. > Hope this email will help a bit. > > *-> shameless plug:* XWiki SAS (www.xwiki.com) offers development support > services to help you when faced with such hurdles. I'm aware you might not > be in a position where you can consider this offer, but you'd have the > guarantee of getting an appropriate answer in a short timeframe (vs > community support, although it's usually pretty fast on these lists) plus > it's a great way to help the development of the XWiki project if you like > the product + well, it would have saved you days and effort thus making save > money in the end ;-) > Unfortunately, I am just a developer and not able to direct the funding. Since this is for an internal project for a govt. contractor, the time it would take to resolve the paperwork to put in a request for the funding for external support would be longer than me to just write the entire wiki myself. > >> What is the problem? Why won't the user go into the group? Is there a >> better way of doing this? Any help, code snippets or suggestions would be >> appreciated. > > Thanks. >> Dean Weber > > > How exactly are you adding the user to that group? If you create an > XWikiGroups object, add it to the group document, then save it, you > should use saveWithProgrammingRights() instead of save(). > > -- > Sergiu Dumitriu > http://purl.org/net/sergiu/ > THis is from the NoAccess.WebHome page. Here is the velocity code segment I am using to try and add a user to the TrainedUsersGroup group. 01 #if($completed_training == "true" or $xwiki.hasAdminRights()) 02 ## 03 ## Add the current user to the TrainedUsersGroup group 04 ## 05 #set($MyGroupDoc = $xwiki.getDocument("XWiki.TrainedUsersGroup")) 06 #if(!$MyGroupDoc.getObject("XWiki.XWikiGroups", "member", $fullName)) 07 #set($GroupObj = $MyGroupDoc.newObject("XWiki.XWikiGroups")) 08 #set($AddingUser = 1) 09 $GroupObj.set("member", $fullName) 10 $MyGroupDoc.save() 11 #end 12 #end I have tested the Groovy code that is responsible for setting the $completed_training variable depending on the user's status. That portion is correct. The Groovy code did its part and is not the problem. All lines execute correctly except for lines # 09 and 10. In the case where the current user is not an admin, those lines display on the page instead of being executed. In the case where the user is an admin, No code is display. It is executed. The admin is added to the TrainedUsersGroup without a problem. I've even changed line #10 to use saveWithProgrammingRights but it behaves the same and just displays on the screen in the case of a regular user. Why can't the user execute the code that adds himself to a group when the page was written and saved by the admin? There must be some way for me to automatically place users into a group based upon their training status. Thanks Dean Weber Sr Software Engineer II Raytheon Technical Services Company LLC _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
