6 Replies Latest reply on Jan 2, 2008 1:41 PM by danielgallot

    CMS security not working

    danielgallot

      Hi,

      I am using AS 4.2.2 + portal 2.6.2.
      I try to configure the CMS Security.
      I have defined a role : myRole. And various users but I want to define CMS security only with roles.
      I have defined the following security on the following directories :
      For all directories, "Administrators" role has the manage permissions and it is the only one to get it. It has also the read and write permissions everywhere but other roles got them sometimes.
      "/" is readable by all the roles excepted "Users" and "Anonymous". No more permissions on "/".
      "/MyTopDirectory" is readable by all the roles excepted "Users" and "Anonymous". No more permissions on "/MyTopDirectory".
      "/MyTopDirectory/TheUsableDirectory" is readable and writable by "myRole". No more permissions on "/MyTopDirectory/TheManagerDirectory".

      I have also defined a new page with the AdminCMSPortlet to let "MyRole" users access it.

      But "MyRole" users does not see any directories in this portlet. Just the action menu and get "access denied" or various exceptions if trying to use it.

      But even a very simple example does not work :
      - do not give any permissions to "Anonymous" role on "/" directory and give it "read" permissions on "default" directory (no permissions are defined on index.html for any role or user) : Access is denied on the /default/index.html of the CMS portlet home page.
      If "Anonymous" role has read permissions on "/" directory, it works.
      So "Any Permissions specified explicitly on the CMS Node overrides the policy inherited via recursive propagation" as indicated in 14.2 chapter of portal reference guide is not working ?

      Yes, I know, I miss something. I have not found it in documentation or in portal user forum.

      Thanks a lot for some help.

        • 1. Re: CMS security not working
          soshah

           


          - do not give any permissions to "Anonymous" role on "/" directory and give it "read" permissions on "default" directory (no permissions are defined on index.html for any role or user) : Access is denied on the /default/index.html of the CMS portlet home page.
          If "Anonymous" role has read permissions on "/" directory, it works.
          So "Any Permissions specified explicitly on the CMS Node overrides the policy inherited via recursive propagation" as indicated in 14.2 chapter of portal reference guide is not working ?


          This is expected behavior. The permissions recurse down the tree, not up the tree. In your case, since you have no access to the '/' node, specifying permissions on '/default', automatically granting permission to access '/' node would be a security hole.

          The idea for recursion is, say you give all users access to "/" node. then entire tree will be accessible. But if "/private' needs to be protected to certain users, you specifiy it there in that case, entire cms tree is not fully exposed.


          I have defined a role : myRole. And various users but I want to define CMS security only with roles.
          I have defined the following security on the following directories :
          For all directories, "Administrators" role has the manage permissions and it is the only one to get it. It has also the read and write permissions everywhere but other roles got them sometimes.
          "/" is readable by all the roles excepted "Users" and "Anonymous". No more permissions on "/".
          "/MyTopDirectory" is readable by all the roles excepted "Users" and "Anonymous". No more permissions on "/MyTopDirectory".
          "/MyTopDirectory/TheUsableDirectory" is readable and writable by "myRole". No more permissions on "/MyTopDirectory/TheManagerDirectory".

          This setup should work. A similar but simpler setup would be and give this a try to see what you get:

          "/" - make readable to all roles including "myRole" except Users and Anonymous
          "/MyTopDirectory/TheUsableDirectory" - make readable and writable to "myRole"

          let me know what you get with this setup.

          note: this is essentially the same result you are trying to achieve except its a simpler way to approach it.

          hope this helps

          thanks

          • 2. Re: CMS security not working
            danielgallot

             

            "/" - make readable to all roles including "myRole" except Users and Anonymous
            "/MyTopDirectory/TheUsableDirectory" - make readable and writable to "myRole"

            let me know what you get with this setup.

            note: this is essentially the same result you are trying to achieve except its a simpler way to approach it.

            OK, I understand this is a simpler conf because I don't need to declare again the same rights than the rights already granted in the parent directories.

            I try and I got the following :
            - "Create a folder", in "/MyTopDirectory/TheUsableDirectory", for a user with "myRole"
            ==> exception "access denied"

            - "Upload a file" : idem

            But there is another effect I don't understand : "myRole" got read access to "/MyTopDirectory/TheUsableDirectory" and not to other directories where it has not been granted write access.

            Do I miss something(s) ?

            I see the second effect because actually I need to get the following : I have also "myRole2" that should have write access on "/MyTopDirectory/TheUsableDirectory2" but not read access to "/MyTopDirectory/TheUsableDirectory" - and vice versa for "myRole" - in fact I have 20 different roles and corresponding "TheUsableDirectoryN".
            And also "mySupervisor" that has read/write access to all these directories, but not "/" !

            I try to not give read access to all roles on "/", granting the read access on "/MyTopDirectory" - I get "access denied" (the exception) immediatly on the CMS administration. (N.B. : anonymous get "access denied" as a gentle message)

            So what can I do ? I am a bit lost...

            Thanks a lot for your help.


            • 3. Re: CMS security not working
              soshah

               


              I try and I got the following :
              - "Create a folder", in "/MyTopDirectory/TheUsableDirectory", for a user with "myRole"
              ==> exception "access denied"

              If the role 'myRole' has write access on '/MyTopDirectory/TheUsableDirectory' then you should be allowed to create a Folder under '/TheUsableDirectory'. If thats failing, I will have to look into trying to reproduce this and fix it if it is actually a bug. Let me look into this.


              But there is another effect I don't understand : "myRole" got read access to "/MyTopDirectory/TheUsableDirectory" and not to other directories where it has not been granted write access.

              Specifying 'write' access to '/TheUsableDirectory' should recurse to other directories under '/TheUsableDirectory', and since write implies read, you should have 'read' access there. *Except ofcouse if you specifically specify permissions on nodes under this, which override the recursing permissions*
              Are you overriding the recursing permissions the nodes?


              I try to not give read access to all roles on "/"


              Are you atleast granting '/' access to roles that need access to Directories under '/'?

              Reason I ask is if you grant read access to 'MyTopDirectory" but no access to '/', then you will not get access to 'MyTopDirectory' for obvious security reasons. Permissions only recurse down the tree, not up the tree.

              Hope this clarifies some issues.

              Thanks and Merry Christmas

              • 4. Re: CMS security not working
                soshah

                 


                But there is another effect I don't understand : "myRole" got read access to "/MyTopDirectory/TheUsableDirectory" and not to other directories where it has not been granted write access.


                btw, one more thing, if you are overriding the recursing permissions, which looks like you are, then

                for myRole2 who needs write access to /MyUsableDirectort2 but only read access to /MyUsableDirectory, then for permissions on /MyUsableDirectory make sure you grant this role atleast *read access*

                same goes for myRole getting read/write on MyUsableDirectory - specify write access for it there

                and myRole getting read on MyUsableDirectory2 - specify read access for myRole on that, not write access

                Thanks

                • 5. Re: CMS security not working
                  danielgallot

                   


                  But there is another effect I don't understand : "myRole" got read access to "/MyTopDirectory/TheUsableDirectory" and not to other directories where it has not been granted write access.
                  Specifying 'write' access to '/TheUsableDirectory' should recurse to other directories under '/TheUsableDirectory', and since write implies read, you should have 'read' access there. *Except ofcouse if you specifically specify permissions on nodes under this, which override the recursing permissions*
                  Are you overriding the recursing permissions the nodes?

                  OK, I understand why "myRole" get read access to '/TheUsableDirectory' (hence we should have write access), but I don't understand why it has not read access on '/TheUsableDirectory2' since it has read access to "/".
                  I am not overriding more than what I describe.

                  Reason I ask is if you grant read access to 'MyTopDirectory" but no access to '/', then you will not get access to 'MyTopDirectory' for obvious security reasons. Permissions only recurse down the tree, not up the tree.

                  OK I have to grant read access to "/".


                  for myRole2 who needs write access to /MyUsableDirectort2 but only read access to /MyUsableDirectory, then for permissions on /MyUsableDirectory make sure you grant this role atleast *read access*

                  In fact I don't want to grant "myRole2" with read access to /MyUsableDirectory.
                  But when "overriding the recursing permissions" happens ? As soon as you make one change for a given role in whatever directory ? That would explain why the read access is no more available to '/TheUsableDirectory2'....

                  Thanks and Merry christmas you too. I am on holidays now until 02/01/2008.
                  Happy to read you next year !


                  • 6. Re: CMS security not working
                    danielgallot

                    Here is what I understand about "overriding the recursing permissions" (I am only using roles):

                    for a given directory, if one overrides the read permission, i.e for at least one role, the read permission is redefined for all the roles (get it if explicitly selected / lose it if explicitly not selected). And also the write and manage permissions are redefined, even if their selection lists are not modified.

                    It that right ? (anyway it is not so obvious for me - lots of tests to look over those grantings). The following tests have been done.

                    Well first this does not seem applicable to "admin" user : it keeps all the rights whatever I give or not to Administrators role. OK, I keep it apart. So I create "myAdmin" with the "Administrators" role.

                    Here is what I got with "myAdmin" and the other users and directory we use in the previous posts (users with the same name as the role for each "myRole" and "myRole2") :
                    - All the roles have the read permission on "/" excepted "anonymous" and "users", and "Administrators" have the write and manage permissions.
                    - I redefined the read permission of "/default" : only "anonymous" and "users" have it
                    this is OK, "myRole", "myRole2", "mySupervisor" and "myAdmin" have no more access to "default" neither to /default/index.html on the home page .
                    And they have always access to "/MyTopDirectory".
                    Anonymous and users have access to /default/index.html (what does happen if a user has "myRole" and "users" ?.... See that another time, above all on the directories access while using the CMS).

                    - I redefined the write permission on "/MyTopDirectory" to give it to "mySupervisor" (the one that has to organize this directory)
                    This is not OK because
                    1) "access denied" exception happens to "mySupervisor" when trying "create folder" or "upload file" <<<< this is a big problem (1)
                    2) "myRole", "myRole2" and "myAdmin" has no more read access to "/MyTopDirectory".
                    "myAdmin" cannot any more "create folder" in "/" : "java.lang.Exception: Not a valid basePath null".
                    But it works if there is another directory it has access (in the first test, there was no more accessible directory) <<<< this is (?) a small problem

                    - I redefined the read permissions on "/MyTopDirectory" to give it to "myRole" and "myRole2", and the manage permission to "Administrators"
                    1) "myRole" and "myRole2" did not get the read permission <<<<< this is a big problem (2)
                    2) "myAdmin" got the manage permission and the write permission


                    Please tell me if I can do something to give write access to "/MyTopDirectory" for "mySupervisor" (cf. (1)) and read access to "/MyTopDirectory" for "myRole" and "myRole2" (cf. (2)).
                    Thanks a lot.