On 06/09/2010 12:24 PM, Ecaterina Valica wrote: >>>> Another question is why this has been done in the first place? Can >> someone >>>> give a valid use case when this is more productive than other ways. >>>> >>> >>> I really do not know, and I am curious as well. >> >> It was done because the deny right is stronger than the allow right. How >> can I say that for space X only group A has view right, and nobody else? >> >> Attempt 1. Deny to Guest and All, allow to A. Oups, doesn't work, since >> everybody in A is also in All, and deny is stronger, so everyone is >> denied... >> > > IMO, RegisteredUsers is a special case. Imagine RegisteredUsers as a Wiki, > and GroupA as a Space; and have the same level of appliance for groups > (page-space-wiki, where space rights override wiki rights).
True, but that's not the way it was implemented initially. XWikiAllGroup was just another group like all others. Now, it is a bit more special, since it can be completely virtual, it can implicitly contain all registered users, and it is referenced in the code as the default group for new users. > So if I deny All and allow A, semantically A will have allow, because the > tie will be broken by level. Just a thought. > > Caty > > >> >> Attempt 2. Hm, how could this be done? Denying to everybody is not an >> option... So, allow the view right to A, and automagically everybody >> else is denied. Great, XWiki really rocks! >> >> This is not a very valid use case, but more like a necessity. When >> designing the current rights mechanism, a lot of not-entirely-compatible >> use cases had to be balanced, and the outcome doesn't cleanly satisfy >> all use cases, but it tries to make each scenario possible one way or >> another. >> -- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
