This patch allows group names specified in ACLs to be relative page names.
So say we did:
acl_rights_before = "/AllowedGroup:read,write"
Then when we viewed FrontPage, all users in FrontPage/AllowedGroup would have read,write permissions. FooBarPage -> FooBarPage/AllowedGroup. etc.
--- /home/nick/moin-1.3.3/MoinMoin/wikiacl.py 2005-01-09 15:05:06.000000000 -0600
+++ /usr/lib/python2.3/site-packages/MoinMoin/wikiacl.py 2005-04-08 18:47:40.000000000 -0500
@@ -8,7 +8,7 @@
"""
import re
-from MoinMoin import user
+from MoinMoin import user, wikiutil
class AccessControlList:
''' Access Control List
@@ -201,10 +201,14 @@
allowed = None
for entry, rightsdict in self.acl:
+ abs_entry = entry
+ if entry.startswith(wikiutil.CHILD_PREFIX):
+ abs_entry = ''.join([request.page.page_name, entry])
+
if entry in self.special_users:
handler = getattr(self, "_special_"+entry, None)
allowed = handler(request, name, dowhat, rightsdict)
- elif self._is_group.get(entry) and is_group_member(entry, name):
+ elif self._is_group.get(entry) and is_group_member(abs_entry, name):
allowed = rightsdict.get(dowhat)
elif entry == name:
allowed = rightsdict.get(dowhat)This looks nice and simple. Do you use this code in production? For what? -- ThomasWaldmann 2005-04-09 09:14:09
This is simple, but Its not clear what is the effect and why we need this. How is this going to work with HierachicalAccessControlList, which is a feature that few developers want and already started to work on? -- NirSoffer 2005-04-09 16:23:30
I forgot to link to NickWelch/SubpageAccessControlList, which was my earlier idea, before I found this simpler one. Basically the purpose is to have ACLs apply to pages without actually having the #acl this:that in the source of the page. I.e. when you don't want to confuse people, and/or maybe the list of ACLs would be long and cumbersome. It's not used in production yet. One issue still left is that anyone can go about creating a WhateverPage/AllowedGroup page... I overlooked that because it wasn't a problem with the previous solution, since only admin people can edit ACLs. But anyone can edit a list on a page! -- NickWelch 2005-04-11 21:42:36
ok, new patch that matches page_name against a regex (acl_relativegroups_re) in config:
--- /home/nick/moin-1.3.3/MoinMoin/wikiacl.py 2005-01-09 15:05:06.000000000 -0600
+++ /usr/lib/python2.3/site-packages/MoinMoin/wikiacl.py 2005-04-11 16:50:46.000000000 -0500
@@ -8,7 +8,7 @@
"""
import re
-from MoinMoin import user
+from MoinMoin import user, wikiutil
class AccessControlList:
''' Access Control List
@@ -201,10 +201,16 @@
allowed = None
for entry, rightsdict in self.acl:
+ abs_entry = entry
+ pagename = request.page.page_name
+ if (re.match(request.cfg.acl_relativegroups_re, pagename) and
+ entry.startswith(wikiutil.CHILD_PREFIX)):
+ abs_entry = ''.join([pagename, entry])
+
if entry in self.special_users:
handler = getattr(self, "_special_"+entry, None)
allowed = handler(request, name, dowhat, rightsdict)
- elif self._is_group.get(entry) and is_group_member(entry, name):
+ elif self._is_group.get(entry) and is_group_member(abs_entry, name):
allowed = rightsdict.get(dowhat)
elif entry == name:
allowed = rightsdict.get(dowhat)So acl_relativegroups_re would contain a regex matching the page names of pages that you want to allow relative groups on. With:
acl_relativegroups_re = "^(ThisPage|ThatPage)$"
.. it would allow ThisPage/AllowedGroup and ThatPage/AllowedGroup, but AnotherPage/AllowedGroup would just be treated as a normal page.
Check if you can get the same effect with a custom security policy class. Here is an example for such class (not related to this problem):
- policy.py
1 """ 2 Give automatic admin rights for users for their home page or sub pages. 3 4 Bypass page acl for the "owner" of the page, use page acl for other 5 users. Amdins always has admin rights if they are in acl_rights_before. 6 7 Note that anyone can register with an existing page name and then admin that page ignoring the page acl. 8 """ 9 10 # If you want to use antispam, sub class from antispam: 11 # from MoinMoin.util.antispam import SecurityPolicy as Permissions 12 from MoinMoin.security import Permissions 13 14 from MoinMoin import wikiutil 15 16 class SecurityPolicy(Permissions): 17 def admin(self, pagename): 18 # Give right if page name starts with username, bypassing page acl 19 if (self.request.user.valid and 20 pagename.startswith(self.request.user.name) and 21 (not wikiutil.isSystemPage(self.request, pagename))): 22 return True 23 24 # Use base class policy: 25 return Permissions.__getattr__(self, 'admin')(pagename) 26