Description
I have acl_rights_before specified in wikiconfig.py and if a group does not have admin rights, page acl overrides it!
For example, my entries in wikiconfig.py are:
acl_rights_before = u"RichardWiseman:read,write,delete,revert,admin AdminGroup:read,write,revert,delete,admin EditGroup:read,write,revert,delete" acl_rights_after = acl_rights_default = u"ReadGroup:read All:none" superuser = [u"RichardWiseman"]
I have made the front page of the Wiki and one or two others readable to all, but the majority is only readable to people in the ReadGroup, EditGroup and AdminGroup. The readable-to-all pages contain the following line:
#acl All:read
Members of the AdminGroup are able to edit these pages; members of EditGroup are not able to.
Removing the page-level ACL allows EditGroup members to edit the page.
Steps to reproduce
Set up ACL so that EditGroup (for example) has read,write,revert,delete permissions specified in acl_rights_before and in acl_rights_after include All:none.
Add #acl All:read to page XYZ to make it readable to all. (This functionality works fine.)
Log in as a member of EditGroup.
Go to page XYZ. It is labelled as immutable. It should be editable because EditGroup is given permission in acl_rights_before.
- Log in as an administrator.
Go to page XYZ. It is editable, as it should be.
Edit the page and remove the #acl line from page XYZ.
Log in as a member of EditGroup.
Go to page XYZ. It is editable, as it should be.
Example
Example is as described. I've got no publicly visible Wiki, and a screen shot won't show the problem.
Component selection
- general
Details
MoinMoin Version |
1.9 |
OS and Version |
Windows Server 2003 |
Python Version |
2.6.4 |
Server Setup |
Apache 2.2 + WSGI |
Server Details |
Apache version 2.2.14 |
Language you are using the wiki in (set in the browser/UserPreferences) |
English |
Workaround
None.
Discussion
RW: Thanks for looking at this for me.
none is no valid right
- RW: Good point. Presumably it's just ignored though. It gives the effect I want anyway!
Please check by SystemAdmin do user browser if you have members in EditGroup.
RW: There are six users in the EditGroup. I use my superuser rights to log in as them and check access.
Please show your page_group_regex.
RW: page_group_regex = ur'(?P<all>(?P<key>\S+)Group)'
If this was an upgrade do you have cleaned while the server was offline by maint cleancache all cache files of moin?
- RW: It was an upgrade, from v1.7. I certainly tried to clear caches, although I don't know if it succeeded!
I have no windows server handy but I tried to rebuild the setup on a linux system. I can't reproduce it on that linux box. -- ReimarBauer. May be provide a instance of the moin data dir. 2010-01-20 21:15:56
RW: Happy to provide a zip of the data dir – there's no private data in there is there??
RW: I've read through the HelpOnAccessControlLists page again. I've changing my defaults to: acl_rights_before = u"RichardWiseman:read,write,delete,revert,admin AdminGroup:read,write,revert,delete,admin" acl_rights_after = acl_rights_default = u"EditGroup:read,write,revert,delete ReadGroup:read All:" superuser = [u"RichardWiseman"]
and the page's ACL to:#acl +All:read
and this has the desired effect (i.e. members of EditGroup can edit the page). I must confess, I was almost randomly making changes – I also tried the page's ACL as #acl +All:read Default which seemed to have the same effect. Perhaps this 'bug' is just me misunderstanding how ACL works, but reading the HelpOnAccessControlLists page, it still sounds to me like my original setup should have worked (since the inclusion of EditGroup:read,write,revert,delete in acl_rights_before should have overridden the ACL in the page, giving members of EditGroup edit permission).
Plan
- Priority:
- Assigned to:
- Status: